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Superior Savings On 
Energy Costs 


Designed for storage-intensive applications, ZFS 
implementation, and virtualization, the iX-N4224 4U storage 
server series delivers incredible performance, storage capacity, 
and energy savings with adaptability and superior hardware. 
Each iX-N4224 comes with a Gold Level power supply, boasting 
a high 93% energy efficiency. Powerful Intel® Xeon® 5500 series 
quad core processors intelligently save power during low-use 
periods and increase performance when systems require 

it. Intel® Xeon® 5500 series processors include virtualization 
technologies to lead the way in performance, scalability, and 
simplified server management and migration. 


The iX-N4224 supports up to 144GB of DDR3 1333 
energy efficient RAM and utilizes three 5000 RPM cooling PWM 
fans and two 5000 RPM rear exhaust PWM fans. iX-N4224 servers 
offer up to 48 terabytes of storage with 24 hot-swappable 
SAS/SATA drive bays in a 4U configuration. Storage sizes for 
the iX-N4224 are customizable, with 250MB, 500MB, 750MB, 
1TB, and 2TB hard drives available. 


The iX-N4224 provides the ideal solution for 
applications requiring maximum storage capacity and power 
savings. For particularly storage-hungry applications, Western 
Digital® offers 2TB WD™ RE4-GP hard drives, which offer lower 
power use during idle times, a 64 megabyte cache, up to 

25% increased performance, and a savings of up to $10 per 
drive on yearly power costs. Each hard drive is equipped 

with improvements to rotary vibration tolerance and calculates 
optimum seek speeds to lower power consumption, noise, 
and vibration. These drives also require less power and time 
to start up, allowing more drives to start spinning 
simultaneously due to the decrease in the current each drive 
requires. Equipping the Orion iX-N4224 4U storage server 
with the WD™ RE4-GP drives provides unparalleled storage 
capacity and power efficiency. 


For more information about the Orion Series visit 


http://www.iXsystems.com/Orion. 
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Features 


* Dual 64-Bit Socket 1366 Quad-Core or Dual-Core 
Intel® Xeon® Processor 5500 Series 

« 24 x 3.5" 5A5/SATA Hot-swappable Drive Bays 

* 1200W high-efficiency (1+1) redundant power 
supply (Gold Level 93%) 

® 100% Cooling Redundancy 

* Dual Intel® 5520 chipsets with QuickPath 
Interconnect (QPI) 

* Up to 144GB DDR3 1333/1066/800 SDRAM ECC 
Registered Memory (18 DIMM Slots) 

e 2 PCI-E 2.0 x16, 4 PCI-E x8 (1 in x16 slot), and 1 
PCI-E x4 Expansion Slots 

* Intel® 82576 Dual Port Gigabit Ethernet Controller 

® Optional 2x Internal Fixed 3.5” HDD or 2x fixed 
2.5° HDD + DVD 

* Matrox G200eW Graphics 
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O6 Keeping FreeBSD Up-To-Date: 

OS Essentials 

Richard Bejtlich 
An important system administration task, and a principle 
of running a defensible network, is keeping operating 
systems and applications up-to-date. This article presents 
multiple ways to do that. 


26 Using BSD for your Studies 

Edd Barrett 
About four years ago Edd was starting his undergraduate 
computing degree. He knew that UNIX-like operating 
systems had proven themselves in the server room, but 
how would they fare in the lecture theatre? 


30 The FreeBSD Chatterbox 

Eric Vintimilla 
Day in and day out, your FreeBSD sits there quietly, 
processing its workload. It never complains or asks for any 
favors, but what would it say if it could talk? The answer 
to that question is easy. It will say whatever you want it to. 
Make your FreeBSD more talkative with Festival. 


how-to’s 
32 Encrypting the FreeBSD root file system 


Jacques Manukyan 
Systems are only as secure as you make them. Thankfully, 
FreeBSD offers an excellent range of tools and mechanisms 
to insure that all your security needs are met. 


40 Setting up PC-BSD as a server 

Jan Stedenhouder 
PC-BSD is so easy to install and the KDE-desktop easy 
enough to use that we might almost forget it's roots 
as server operating system. Now, and in the future, the 
majority of desktop users might not consider this piece of 
information of any value. 


44 How to Build a Scalable Search Engine 
Using the BuildaSearch Web Service 
Diego Montalvo 

While other articles do a fantastic job focusing on core 

BSD technology, | feel that it is also important to cover web 

services powered by BSD systems. 


48 Is NetBSD ready for a desktop? 
Petr Topiarz 
In this article Petr is focusing on the usability of the 
NetBSD as a desktop. He shows what NetBSD can do 
e today and whether it is mature enough to challenge PC- 
fax Y BSD or Linux. If you want to know, start reading! 
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96 FreeBSD on the SheevaPlug 

Donald T. Hayford 
Though NetBSD is better known for supporting a wide 
variety of processors and systems, FreeBSD has an active 
embedded component, as well. In this article, we'll take a 
look at the ARM-based SheevaPlug and show you how to 
boot your Plug using FreeBSD. 


64 Email server in FreeBSD 

Francisco Reyes 
This tutorial is a step by step guide on how to setup 
your own mail server using Postfix as the Mail Transfer 
Agent (MTA) and Dovecot as the IMAP server and as the 
authenticating agent for Postfix. 


70 Monitoring OpenBSD with Symon 

Matthias Pfeifer 
Once you have your OpenBSD Server running, you might 
want to monitor your machine. There are several ways 
to do this and there is a large amount of tools you could 
use for it. One of these tools | will show you in this how-to 
article is Symon. 
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72 BSD as the Platform for Connecting 
Strategy to Operations Through a Data 
Concourse Service 
Richard C. Batka 

A major change is about to take place in large 

organizations worldwide and BSD is positioned perfectly 

to play a starring role. 


76 Living The PC-BSD Lifestyle 

James T. Nixon Ill 
Some people are Mac, some are Windows, | am PC-BSD. 
PC-BSD is more than an operating system, it’s a lifestyle. 
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OS Essentials 





An important system administration task, and a principle of running a defensible 
network, is keeping operating systems and applications up-to-date. 


unning current software is critical when older 

services are vulnerable to exploitation. Obtaining 

new features not found in older applications is 

another reason to run current software. Fortunately, 
open source software offers a variety of means to give users a 
secure, capable computing environment. 

This article presents multiple ways to keep the FreeBSD 
operating system up-to-date. | take a FreeBSD 7.1 RELEASE 
system through a subset of security advisories to explain the 
different sorts of patches an administrator might apply. It is 
important to realize that this article discusses the OS only; 
it does not discuss applications. FreeBSD does not have 
a unified update mechanism for the OS and applications. 
By applications | mean software outside of the kernel and 
userland. For example, Debian systems can use the apt tool 
to keep the distribution and packaged applications up-to-date. 
FreeBSD does not have a single equivalent tool, so this article 
only addresses keeping the OS up-to-date. 

Note that there is a difference between an update 
and an upgrade. | use the term update to refer to keeping 
a certain version of FreeBSD up-to-date. For example, 
keeping a FreeBSD 71 system at version 7.1, but having the 
appropriate security and critical patches applied, qualifies 
as an update process. | use the term upgrade to refer to 
changing the FreeBSD version, either within a minor version 
or to ad new major version. For example, migrating from 
FreeBSD 71 to 72, or from 72 to 8.0, qualify as upgrade 
processes. 

| chose FreeBSD 7.1, released in January 2009, as my 
starting point because it offers a security history suitable 
for describing multiple update cases. At the time of writing 
FreeBSD 72 is the latest STABLE release and 8.0 is in 
BETA. Readers wondering why someone might want to 
install an old OS version can imagine that there might be 





an application supported only on FreeBSD 7.1 and not yet 
officially ready for 72 or 8.0, prompting an administrator to 
rund /1 box. 

All of the work done in this article was done remotely 
via OpenSSH. One danger of performing remote upgrades 
is losing connection during a critical phase of the process. 
One software-based way to deal with this issue is to conduct 
all remote upgrades within a screen(1) session. (http:// 
www.freshports.org/misc/screen) Should you lose connectivity 
during the upgrade while running screen, your session will 
continue uninterrupted. The screen(1) program has suffered 
security problems in the past, so balance its features against 
the possible risks. 
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My advice on administering this 
reference platform is based on deploying 
FreeBSD on_- servers, workstations, 
and laptops since 2000. The article 
represents a mix of my interpretations 
of official FreeBSD documentation, 
inputs from mentors, and the result of my 
own experimentation and deployment 
strategies. This guide cannot be anywhere 
near a complete reference on keeping 
FreeBSD up-to-date or maintaining a 
secure system. | strongly recommend 
reading the excellent FreeBSD Handbook 
as well as the multiple helpful published 
books on FreeBSD. 


FreeBSD Handbook and 


Absolute FreeBSD, 2nd Ed 


Please note that Chapter 24, Updating 
and Upgrading FreeBSD, is’ the 
authoritative source for information on 
keeping the FreeBSD OS _ up-to-date 
(htto://www.freebsd.org/doc/en/books/ 
handbook/updating-upgrading.html). The 
reason | wrote this article was to show 
how these various mechanisms apply in 
practice, and which | prefer in production. 
| must also recommend Michael W. 
Lucas’ excellent book Absolute FreeBSD, 
2nd Ed (No Starch, 2008). Several other 
talented FreeBSD writers have produced 
books, but Michael's is my favorite. For 
deeper coverage on the topics in this 
article, please see the Handbook or 
Michael’s book. 


The Short Answer: Updating 
FreeBSD with Binary Upgrades 
lf you want to jump straight to the 
easiest way to keep the FreeBSD OS 
up-to-date, without changing major or 
minor versions, and you are a standard 
user who has not customized his or 
her kernel and userland, follow these 
instructions. | present this first and with 
little introduction because it is the most 
basic and important step for keeping the 
FreeBSD OS up-to-date for the majority 
of users. 


Set proxy, if necessary using setenv 
HITE _ PROXY https //myproxysmyporc. 
Run freebsd-update fetch. 

Run freebsd-update install. 
Reboot. 


These steps are demonstrated on a 
FreeBSD 72 system installed from CD 
(see Listing 1). 
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Following those four steps will keep a 
generic FreeBSD system up-to-date. 

Colin Percivals FreeBSD Update 
tool is one of the best new aspects of 
FreeBSD, in my opinion. Prior to applying 
binary updates, FreeBSD administrators 


had to rely on recompiling source code 
whenever updates needed to be applied. 
This included casual users operating 
standard systems as well aS power 
users operating custom systems. With 
FreeBSD Update, casual users who are 





Listing 1. Uname output for FreeBSD 7.2 


freebsd7a# uname -a 


FreeBSD freebsd7a.localdomain 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 


ENO 49 sts ULC 2009 


GENERIC i386 


root@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/ 


freebsdia# Setenv AITP PROXY bitps 7/7172, 16.2517 3128 


freebsd7a# freebsd-update fetch 


hooking Up update. FreebSb org mirrors... 


Fetching public key from update5.FreeBSD.org... 


3 imLirceoOrs irouiMmcl. 


done. 


Fetching metadata signature for 7.2-RELEASE from update5.FreeBSD.org... 


done. 

Fetching metadata index... done. 
Fetching 2 metadata files... done. 
Inspecting system... done. 
Preparing to download files... done. 
Fetching 26 pacches.. ... LEO re ee Ol aes 


Applying patches... 


done. 


The following files will be updated as part of updating to 7.2-RELEASE-p3: 


/boot/kermel/ it bce. ko 


/boot/kernel/if bce.ko.symbols 
/DOOt/ Kernel / it Tixp. ko 
/boot/kernel/if fxp.ko.symbols 


jooor/ kernel / kernel 





/boot/kernel/kernel.symbols 
(lay ioe soie 7 

/ Ao abbitniesse. 3 

wee eC TOC saa: 
/usr/sbin/named 

j/usEe/ sbin/nologin 


jus) sban/mepd 


freebsd7a# freebsd-update install 
Installing updaces=.. done. 


freebsd/va# reboot 


freebsd7a# uname -a 


FreeBSD freebsd7a.localdomain 7.2-RELEASE-p2 FreeBSD 7.2-RELEASE-p2 #0: 


Wed Jun 24 00:57:44 UTC 2009 
Obj /UST/SLC/ SVS/GENERIC 2366 
Listing 2. Uname output for FreeBSD 7.1 


freebsd/7# uname -a 


FreeBSD freebsd7.localdomain 7.1=RELEBASE FreeBSD 7.1/=RELEASE #0: 


Vi RAG SW eee me Une 


GENERIC i386 


root@i386-builder.daemonology.net:/usr/ 


Thu Jan 


root@logan. cse.burfralo.6du:/usr/ob]/ust/Src/sys/ 
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not making changes to the standard 
kernel and userland can quickly and 
easily keep the FreeBSD OS up-to-date. 
With some careful use, even power users 
can benefit from binary updates. 

The rest of the article demonstrates 
additional methods and __ details, 
depending on the administrators needs. 


Listing 3. Installing GnuPG 


PLecosd 7 O.O1ada =o Cnupg 


scheme: baie 

seine [ | 

password: [| 

hosin: [ftp.freebsd.org] 
POLE: [0] 





===) FED okreewsd orgs 2a: 

looking up ftp.freebsd.org 
connecting Lo ftp. treebsd.org:21 
+. edited... 


release/Latest/gnupg.tbz... 
5a © ON aE NMES 


+s eCOLTEd...<« 


Ee ea Uline cule Cl ener 





Understanding FreeBSD 
Versions 

Before explaining ways to keep the 
FreeBSD OS up-to-date, | must briefly 
expand on the idea of the term up-to- 
date. Thanks to FreeBSD’s open source 
development methodology, any version 
of FreeBSD is available via check out 





document: [/pub/FreeBSD/ports/i386/packages-7.1-release/Latest/gnupg.tbz| 


Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.1- 


Package onupg—-2.0.9 2 registered in /var/db/pkg/gnupg-2.0.9 2 





Index of ftp://ftp.freebsd.org/pub/FreeBSD/1S0-IMAGES -i386/ - Mozilla Firefox 


Tools Help 


File Edit View History Bookmarks 


@ -c 


| IS Index of ftp://ftpfreebsd.org/pub/F... | > 


(a) |S ftp:Jiftp.freebsd.org/pub/FreeBSD/IS0-IMAGES- {7 - 4 


Index of ftp://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/ 


7 Up to higher level directory 


Name 
4,70 has moved fo ftp-arcive 
4.37 has moved to ftp-archive 
5.3 Aas moved to fip-archive 
5.4 has moved to fip-archive 
5.5 has moved fo fip-archive 
é.0 har moved to ftp-arciive 
6.7 far moved to Mp-archive 
é.2 har moved to fip-archive 

363 

6.4 

7.0 

7.1 

la 7.2 

LJ8.0 


(=) README, TXT 


Figure 2. FreeBSD versions at ftp.freebsd.org 


Last Modified 


10/24/2006 
1oy24/2006 
10/24/2006 
1O/19/2007 
4/3/2009 
10/19/2007 
4/3/2009 
4/3/2009 
1/17/2008 
Lij27/2008 
227 /2008 
1/3/2009 


6/3/2009 
9/6/2009 
12/19/2005 


12:00:00 4M 
12:00:00 4M 
12:00:00 4M 
12:00:00 4M 
6:40:00 PM 
12:00:00 AM 
6:40:00 PM 
6:40:00 PM 
12:00:00 AM 
12:00:00 AM 
12:00:00 AM 
12:00:00 AM 
2:19:00 AM 
6:26:00 PM 
12:00:00 4M 





S) 2001 :4F8:0:2::e +3 
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from the Concurrent Versions System 
(CVS). (htto://www.freebsd.org/doc/ 
en_US.|ISO8859-1/books/handbook/ 
anoncvs.html) These versions can be 
represented by CVS revision tags. (http: 
//www.freebsd.org/doc/en_US.ISO8&859- 
1/books/handbook/cvs-tags.html) 
The following examples begin with 72 
RELEASE, the most recently published 
version of FreeBSD: 


RELENG 7.2.0 RELEASE iS FreeBSD 
72 RELEASE, just as you might get 
on CD. RELENG 7 2 0 RELEASE iS also 
known as a release tag. 

RELENG 7 2 is the security branch for 
72, which is FreeBSD 72 RELEASE 
with patches for security advisories 
and critical fixes applied. rRELENG 7 2 
is known as a branch tag. 

RELENG 7 iS the development line of 
the FreeBSD 7 tree, also known as 
7-STABLE. rELENG_7 is also a branch 
tag. 

("dot"), also known as HEAD, 
is the development line of the next 
version of FreeBSD, 8.0, also known 
as 8-CURRENT or simply CURRENT. 


At the time of writing, the FreeBSD 
project was working the release process 
for FreeBSD 8.0. Creating FreeBSD 8.0 
means declaring that, as of a certain 
date, FreeBSD 8-CURRENT will now 
be designated FreeBSD 8.0. From that 
point forward, CURRENT will be the 
future FreeBSD 9.0, so CURRENT will be 
considered 9-CURRENT. 

The bottom line is that CURRENT 
should always be thought of as the next 
major version of FreeBSD. When 72 was 
the newest FreeBSD version, CURRENT 
was being developed as FreeBSD 8.0. 
When FreeBSD 8.0 is released, CURRENT 
will be developed as FreeBSD 9.0. 

Incidentally, during the’ release 
process for FreeBSD 8.0, various beta 
(BETA) and release candidate (RC) 
versions will be released to facilitate 
testing. In the article you will see 
references to FreeBSD 8.0-BETA versions, 
for example. 

Linux users should note that these 
CVS revision tags do not pertain to 
the FreeBSD kernel alone. FreeBSD is 
developed as an integrated system, 
with a_ kernel matching userland 
tools. One should not run a kernel 
compiled for FreeBSD 72 RELEASE on 


a CURRENT machine. The kernel and 
all userland utilities are meant to be 
upgraded simultaneously, and must be 
kept synchronized. While Linux users 
are usually forced to acknowledge this 
good system administration practice 
when they upgrade major versions 
of their kernel (e.g. 2.4 to 2.6), they 
often maintain the same_ userland 
across minor kernel versions. FreeBSD 
strongly encourages users to always 
keep the userland and kernel in sync 
using the methods explained in the 
Handbook and elaborated upon in this 
document. 

When thinking of what it means to be 
up-to-date, one can see that the oldest 
version of FreeBSD 72 is that which 
was pressed to CD — RELENG_7_2_0_ 
RELEASE or FreeBSD 72 RELEASE. The 
newest version of FreeBSD 7x would 
be 7-STABLE (also called 7.2-STABLE), a 
constantly moving target modified and 
improved on a daily basis. How does an 
administrator decide what to run on her 
machines? 

| prefer to begin a system's life by 
installing ReLEAsE software, like FreeBSD 
72 RELEASE. As long as the systems 
performs as | would expect it to, | then 
track the RELENG 7 2 Or security branch. 
This allows me to incorporate critical bug 
and security fixes that could jeopardize 
the system. 

Occasionally | may encounter a 
system that requires a feature (like 
supporting a new piece of hardware) 
not present in the RELEASE or security 
branches. In cases where that feature 
is Supported by STABLE, | will upgrade 
to that branch. In the rare cases where 
not even STABLE has the feature | need, | 
might install a snapshot of the CURRENT 
branch. | do not recommend running 
CURRENT in production environments 
as it is not supported like the RELEASE or 
STABLE versions are. 


Learning About Security Issues 
FreeBSD security advisories are 
published at the FreeBSD security page 
and at the freebsd-security-notifications 
mailing list. (http://www.freebsd.org/ 
security/advisories.html and http: 
//lists.freebsd.org/pipermail/freebsd- 
security-notifications/) | recommend 
all FreeBSD users subscribe to the 
moderated, very low volume notification 
mailing list. The advisories provide 
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Listing 4. Installing GPG 


freebsd7# gpg --import /usr/share/doc/en US. 1SO08859-1/books/handbook/ 
pgpkeys.html 
gpg: directory '/root/.gnupg' created 


gpg: new configuration file '/root/.gnupg/gpg.conf' created 


gpg: WARNING: options in '/root/.gnupg/gpg.conf' are not yet active during 
ie Ciao cm 

gpg: keyring '/root/.gnupg/secring.gpg' created 
gpg: keyring '/root/.gnupg/pubring.gpg' created 
Gpg: /root/.qnupg/trustdb.gqpog: trustdb created 

gpg: key CA6CDFB2: public key "FreeBSD Security Officer <security- 
officer@FreeBSD.org>" imported 

gpg: key FF8AE305: public key "core-secretary@FreeBSD.org" imported 
gpg: key 7414629C: public key "FreeBSD portmgr secretary <portmgr- 
secretary@FreeBSD.org>" imported 
gpg: Total number processed: 3 
gpg: imported: 3° (RGA: 1) 


gpg: no ultimately trusted keys found 


Listing 5. Contents of /usr/src 


Ereebsd)- ls Just sre 


COPYRIGHT conmralb rescue 
LOCKS CEYpDEO sbin 
MAINTAINERS ere Secure 
Makefile games share 
Makefile.incl gnu sys 
ObsoleteFiles.inc include tools 
README kerberos5 laSiies loan 
UPDATING ee esos ko alte. 
iat) libexec 

eddl release 


Listing 6. Checking out source code using CVS 


Ereeosd) ¢ Coy ust 


treebsd/# cvs -d anoncevstanoncvs!.tfreebsd.org:/home/ncvs CO =r RELENG 7 i ~ 
Umsre 

Cvs checkouts Updacing sire 
evs checkout: Updating src/bin 
GVs Checkout: Updating sro/biny cat 


4 o @ CACUIONCSNCACl 6 oa 


Listing 7. Installing CVSup 


beeebsd)/7 PkG ada -Ve Cvsup-witnour—qua 

co eCOULTEd 2 a3 

x bin/cvpasswd 

x bim/eyvscup 

x sbin/cvsupd 

o7 sCdLted. 3: 

Package cvsup-without-gui-16.1h 4 registered in /var/db/pkg/cvsup-without-— 
gui-16.ih 4 
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Listing 8. Retrieving patch for ktimer 


freebsd/# fetch http://security. FreeBSD. org/patches/SA-09:06/ktimer.patch 


ktimer.patch 100s oF 4276. B ol kBps 
freebsd/# fetch http://security. FreeBSD. org/patches/SA-09:06/ 
ktimer.patch.asc 

ktimer.patch.asc 100s. Or Los, 8 24 kBps 


Listing 9. Verifying ktimer patch 


freebsd7# gpg --verify ktimer.patch.asc ktimer.patch 

Gpg: Signature made Sun Mar 27 19759:5e8 2009 EDT using DSA key ID CAGCDEB2Z 
gpg: Good signature from "FreeBSD Security Officer <security- 
officer@FreeBSD.org>" 

gpg: WARNING: This key is not certified with a trusted signature! 

Gea: There is no indication that the signature belongs to the owner. 


Primary key fingerprint: C374 OFC5 69A6 FBB1 4AEFD B131 15D6 8804 CA6C DFB2 


Listing 10. Patching ktimer 


freebsd7# patch < /root/ktimer.patch 
Mite...) “hooks: like va umined “dir ro me... 


The text leading up to this was: 





[=== ‘sys/ kern/ kern timese (revision 190192) 

[+++ sys/kern/kern time.c (working copy) 

Patching file sys/kern/kern time.c using Plan A... 
Hunk #1 succeeded at 1079 (offset -6 lines). 


done 


Listing 11. Rebuilding the kernel 


freebsd7# cd /usr/src/sys/i386/conf 
freebsd7# cp GENERIC FREEBSD7 

freebsd7# cd /usr/src 

freebsd7# make buildkernel KERNCONF=FREEBSD7 


===> FREEBSD7 
mkdir =p /usr/eb]/USr/src/ sys 


>>> stage 1: configuring the kernel 


ead /usr/sre/sys/i386/cont; PATH=/usr/ob]/usr/ src/tmp/ legacy/usr/ sbin: 
/usr/obj/usr/src/tmp/legacy/usr/bin: /usr/obj/usr/src/tmp/legacy/usr/games: 
jusk/Ob)/Usr/Ssce/tme/Ust/ soln: /lst/ Ob) /ust/ src, Emp/Uusn/bim:/usr/ Ob/ usc 
Ssne/tmp/ usr/ games: /sbin:/binm:/usn/ sbim:/usr/bin Contig -—d just) ob ]/ ust 
StC/SysS/PREEBoD? ~/Ust/ste/sys/1396/ contk/ FREEBSD? 

Kernel build directory is /usr/obj/usr/src/sys/FREEBSD7 


VeceGi Teds. = 
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background, a problem description, an 
impact statement, workaround advice, a 
solution to fix the problem, and correction 
details. We'll take a closer look at an 
actual security advisory when we learn 
how to apply patches manually to the 
operating system. 


Starting with the Installation 

Lets start with the most common 
deployment scenario, using FreeBSD 
71 RELEASE as our starting point. For 
this version, the CVS tag iS RELENG 7 1_ 
0 RELEASE for the version shipped on CD 
and reLENG 7 1 for the security branch. 

The administrator installs FreeBSD 
71 RELEASE from CD on a new server. 
She installs the User distribution set 
(Average User - binaries and doc 
only) and installs the ports tree. When 
installation is done, a check of uname 
output shows what the system looks like 
prior to any changes: see Listing 2. 

She does not need to modify the 
kernel and is running the GENERIC 
version shipped with the OS. 

At this point the system is running, but 
it requires Security updates. 


Installing Gnupg and Importing 

Keys 

Whenever an administrator wants to 
manually apply a security patch, it is 
important to validate those patches 
using Gnu Privacy Guard (Gnupg, http: 
//www4reshports.org/security/gnupg). In 
this section we will install Gnupg and 
import FreeBSD developer keys (see 
Listing 3). 

Notice in the output above that the 
version of Gnupg shipped with FreeBSD 
71 (in packages-71-release) is the 
version installed automatically here. 

Next we import required PGP keys 
(see Listing 4). 

With Gnupg installed, you will be able 
to check signatures on patches applied 
later. 


Installing Source Code 
When the administrator installed FreeBSD 
71, she did not install the source code for 
the system. We'll do that next. 

FreeBSD source code can either be 
checked out from CVS online, or installed 
from other media. Since this system was 
just installed from CD, and we have the 
CD handy, we'll install the source code 
from CD. 


The easiest way to install source 
code from CD is to use the sysinstall 
program. 

First, note that the source code is not 
available yet on the system. 


freebsd7# ls /usr/src 
freebsd7# 


Launch sysinstall. 


Select Configure - Do post-install 
configuration of FreeBSD 
Select Distributions —- 
additional distribution sets 
Select src — Sources for everything 
by highlighting and hitting the space 
bar 

Select All — Select all of the below by 
highlighting and hitting return. Tab to 
OK and hit return. 

Tab to OK on the Select the 
distributions you wish to install page 
and hit return. 

Select CD/DVD -—- Install from a 
FreeBSD CD/DVD and hit return. 
Wait until the source code is 
installed, then exit sysinstall. 


Install 


Now, listing /usr/src shows the source 
code is installed (Listing 5). 

An alternative to installing the source 
code from CD involves using cvs to 
check it out. In this example we access 
an anonynous FreeBSD CVS _ server 
(http://www.freebsd.org/doc/en/books/ 
handbook/anoncvs.html). For example: 
see Listing 6. 

With the source code on the system, 
you will be able to manually apply 
patches and recompile the whole system 
or kernel as necessary. 


Installing CVSup 

The final addition to our FreeBSD 71 
RELEASE system is the cvsup-without- 
gui package (see Listing 7). 

It tums out that CVSup isn't really 
needed on modern FreeBSD systems, but | 
include it here because it is the single most 
recognizable update tool for FreeBSD. 

At this point we have the infrastructure 
in place to try applying patches as 
required. 


Applying Kernel Patches 
Manually 

In the following sections we will examine 
a variety of ways to keep FreeBSD up- 
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to-date. In this section we will look at 
applying kernel patches manually. We've 
already seen how FreeBSD can make 
updating the GENERIC kernel very easy. 
However, the situation becomes more 
complicated when administrators run 
custom kernels or make other local 
modifications. 

To demonstrate how to manually 
patch the FreeBSD kernel on_ our 
FreeBSD 71 RELEASE system, we 
will use the FreeBSD-SA-09:06.ktimer 
advisory as an_ example — (http:// 
security.freebsd.org/advisories/FreeBSD- 
SA-09:06.ktimerasc). 


Listing 12. Installing kernel 


To implement this advisory, we follow 
the instructions in part 2 (see Listing 8). 
Next we validate the patch (see Listing 9). 

GPG warns us that we have not 
taken any steps to trust the signature of 
the FreeBSD Security Officer. One of the 
ways to make this warning disappear 
would be to sign the key of the FreeBSD 
Security Officer ourselves. We might do 
that after confirming in person or on the 
telephone that the primary key fingerprint 
of the FreeBSD Security Officers key is 
as stated in the output above. (Beyond 
this example, | will not show verifying 
future patches.) 


freebsd/# make instalikernel KERNCONF=FREEBSD/ 


Gd. /sit/@bi)/ust/ sre/sys/PREEBSD?; 


ARCH=i386 MACHINE=i386 CPUTYPE= 
legacy/usr/bin 


Gt Os in EOE 


MAKEOBJDIRPREFIX=/usr/obj 


MACHINE _ 


GROFF BIN PATH=/usr/obj/usr/src/tmp/ 
GROFF FONT PATH=/usr/ob)/usr/src/tmp/legacy/usr/share/ 
GROFF TMAC PATH=/usr/obj/usr/src/tmp/legacy/usr/share/tmac 


PATH=/usr/ob]/usr/src/tmp/ legacy/usr/sbin:/ust/ob]/usr/src/tmp/ legacy/usr/ 


bin?3/usx©/oby/usr/sre/tmp/ legacy/usr/ games; /Us®/ eb] /usr/sre/tmp/Uusr/sbin;: 


J ast) Obj /Ust/ Src) tmp/ust/bim:/ Ger/ob]/Usr/sre/ emp/ usr, dames :/ soin:/bim: 


Jiisie7 Sloim:/ ust) ban 
thiskernel='sysctl -n kern.bootfile' ; 
=er /boor/ kernel i); then 


boot/kernel ; else if [ 
/boot/kernel.old ; 
/boot/kernel.old ; 
NS tha skerne ls tad 
kern.bootfile: 


mkdir -p /boot/kernel 


chflags -R noschg /boot/kernel ; 
-d /boot/kernel.old ] 
rm =~ri /boot/kernel.old 3 i ; 


Tle SO IN — aires Tan TaN Sater 


Zf [| ! “*dirname “"“Sthiskernel™'" 
rm =i / 
; uhen “chilags =R noschg 


mv /boot/kernel 


sysctl kern.bootfile=/boot/kernel.old/"'basename 


jooor/ kernel) kernel —=— / boon kernel olay kernel 


install -p -m 555 -o root -g wheel kernel /boot/kernel 


is -SCGOLTEOs .. 
ficea leo. kOOrE— OC) whee leila a5 
kldxref /boot/kernel 


Listing 13. Uname output before recompiling kernel 


freebsd7# uname -a 


FreeBSD freebsd7.localdomain 7.1=RELEASE FreeBSD 7.1-RELEASE #70: 


RA eS /eceeuo an Wh Game 
GENERIC i386 


freebsd7/7# reboot 


Listing 14. Uname output after recompiling kernel 


freebsd7# uname -a 


PreeBSD freebsd7.localdomain 7.1=RELEASE FreeBSD 7.1-RELEASE #70: 


AQ) LLOZASOA imp ZOOS 


PREEBSD] 41366 


www.bsdmag.org 


if zyd.ko.symbols /boot/kernel 


Thu Jan 


root@logan.cse.bufrfalo.édqu:/usr/ob7]/usr/srce/sys/7 


Thu Aug 


root@freebsd7.localdomain:/usr/obj/usr/src/sys/ 
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Listing 15. Patching telnetd 


freebsd/# fetch http://security. FreeBSD. org/patches/SA-09:05/telnetd. patch 
telnetd.patch 

LOOs ot N00 3 )2G0> kbps 
freebsd/# fetch http://security. FreeBSD. org/patches/SA-09:05/ 
telnetd.patch.asc 
telnetd.patch.asc MOOG Om sos DS KkBps 
freebsd7# gpg --verify telnetd.patch.asc telnetd.patch 
gpg: Signature made Mon Feb 16 16:30:19 2009 EST using DSA key ID CA6CDFB2 
gpg: Good signature from "FreeBSD Security Officer <security- 
officer@FreeBSD.org>" 
gpg: WARNING: This key is not certified with a trusted signature! 
Geog: There iS no indication that the signature belongs to the owner. 


Primary Key fingerprint; C374 0FPC5 6926 FREI 4AED Biol VsD6 83804 CAGC DFEZ 


Ereebsdal# Ca /usr/sre 
freebsd/# patch < /root/telnetd.patch 
Anim... Looks like sa lindiied Giit co me... 


The text leading up to this was: 





|--- contrib/telnet/telnetd/sys term.c (revision 188667) 


[+++ contrib/telnet/telnetd/sys term.c (working copy) 


Patching file contrib/telnet/telnetd/sys term.c using Plan A... 
Hunk #1 succeeded at 1285 (offset 14 lines). 
Hunk #2 succeeded at 1310 (offset 14 lines). 


done 


Ereebsass ca /usr/see/ libs li beeline: 


freebsd7# make obj && make depend && make 


/usr/obj/usr/src/lib/libtelnet created for /usr/src/lib/libtelnet 
rm -f£ .depend 

mkdep -f .depend -a =l/ust/sre/Mile/libpelneny) 7 2.7 conerib, belner,— 
DENCRYPTION -DAUTHENTICATION -DSRA -DKRB5 -I/lib/krb5 -I -I -DFORWARD 
=Dniet, wWhilte—telnet met White /sr/sre/lib/ libwelnet] 52/ ../comerib/ teliner, 
libtelnet/genget.c 

7. sed1ted: 24 

building Sstarre telnet library 


TaN MlenN lo elawlo ie euler ieee 


Ereebsd/# ca /usr/sre7 li bexec/ Lelnerd 


freebsd7# make obj && make depend && make && make install 
/usr/obj/usr/src/libexec/telnetd created for /usr/src/libexec/telnetd 
rm -f£f .depend 

mkdep -f .depend -a ]DLINEMODE —-DUSE TERMIO” —~DBIAGNOSTICs —DOLD ENVIRON 
=DENV HACK =DINETG =1/usr/sre/libexec/telnerd/../../contrib/telnet = 
DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD ~Diet WE bee [Eel ieee mer Wriee 
/usr/src/libexec/telnetd/../../contrib/telnet/telnetd/global.c 
5-,edited.. . 

install =s —o ©oor —¢q wheel =m S555 telnetd /usr/libexec 


install -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 
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For now we assume that the patch 
has not been tampered with and move 
on to applying it per theadvisory’s 
instructions. Now we apply the patch 
(see Listings 10). 

Finally we compile a new kernel for 
our system. Note that we decide to make 
a copy of the configuration file called 
FREEBSD7Z We do not leave the kernel 
as GENERIC because we have patched 
it (see Listing 11). 

After waiting several minutes we 
install the new kernel (see Listing 12). 

After a final check of the installed 
kernel (which is still running), we reboot 
(see Listing 13). 

After reboot, notice that the new 
kernel is installed (see Listing 14). 

The compilation date also matches 
the date the new kernel was compiled. 


Applying Userland Patches 
Manually 

In the previous section we saw how 
to apply a patch to the kernel, then 
recompile and install the patched kernel. 
Here we will look at applying a patch to 
a userland application that ships with the 
FreeBSD OS. For this example we will use 
the FreeBSD-SA-09:05.telnetd advisory 
(http://security.freebsd.org/advisories/ 
FreeBSD-SA-09:05.telnetd.asc). 

To implement this advisory, we follow 
the instructions in part 2 (see Listing 15). 

Since telnetd runs from inetd, we can 
be sure the next time telnetd starts it will 
be patched. 

In the previous edition of this document 
(published in 2005), we provided an 
example of manually patching the 
userland for FreeBSD-SA-04:05.openssl. 
That advisory required recompiling the 
entire userland. The same is true for 
FreeBSD-SA-06:23.openssl. However, 
there does not seem to be an advisory 
since 2006 that required recompiling 
the whole userland. Even FreeBSD- 
SA-09:08.0penssl, another OpenSSL 
advisory, only required recompiling part 
of the userland, as was the case with this 
telnetd example. In the event you wish to 
apply a userland patch manually, and it 
requires recompiling the userland, follow 
the instructions in the advisory as we have 
done with these last two examples. 


Using CVSup to Apply Patches 
So far we have shown how to do quick 
binary updates using FreeBSD Update, 


and we manually applied a kernel patch 
and then a userland patch. In this example 
we will use the traditional CVSup tool to 
update the entire system to a specific 
point in time. For this example we will 
use the FreeBSD-SA-09:07Zlibc security 
advisory (htto://security.freebsd.org/ 
advisories/FreeBSD-SA-09:07libc.asc) to 
guide our actions. 

This security advisory requires a 
patch to libc. We could have user binary 
updates to fix this, or applied the security 
patch manually. Instead we are going 
to update the whole system to a time 
when the patch was integrated into the 
FreeBSD source tree. This iS solution 1 
in the advisory. We take the time from 
the Corrected section of the advisory. 
Because our system is running FreeBSD 
71, we look for the date involving that 
version of FreeBSD. 
2009-04-22 14:07:14 UTC (RELENG 7 1, 
7.1-RELEASE-p5) 


This means we can update all of the 
source code on our system to a date 
after 2009-04-22 14:07:14 UIC to be 
sure the libc patch is applied. 

In order to do that, we will use CVSup. 
We need to create a supfile that controls 
how CVSup operates. Examples are on 
the system already (see Listing 16). 

Please replace INSERTYOURCH 
OICE.FreeBSD.org in this and _ later 
occurrences with the hostname of a real 
CVSup server as listed in the FreeBSD 
Handbook § (htto://www.freebsd.org/doc/ 
en/books/handbook/cvsup.html). 

We set the date to be in the minute 
after the correction time noted earlier. 

Now we are ready to use CVSup to 
update our source tree (see Listing 20). 

Notice the last date listed for updates 
to src/UPDATING is less than the time 
specified in our supfile. There are no 
updates beyond 2009-04-22 14:07:14 
UTC. This means CVSup is working as 
expected. In other words, we are getting 
updates to 71 RELEASE, but not newer 
than our specified correction date. 

Note that CVSup does not natively 
Support HTTP proxies. For information 
on how to use CVSup through a proxy, 
specifically mentioning FreeBSD, 
see my blog post Updating FreeBSD 
Using CVSup through HTTP Proxy (hitp: 
//taosecurity.blogspot.com/2009/ 
08/updating-freebsd-using-cvsup- 
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Listing 16. Example supfiles 


freebsd7# ls /usr/share/examples/cvsup 


README ports-supfile standard-supfile 


cvs-supfile refuse www-supfile 


doc-supfile refuse.README 
gnats-supfile stable-supfile 


We CieSerce Owl On BULS Weticl) classe Comcsiacs + 


freebsd7# cat /usr/local/etc/freebsd7-example.supfile 
*default host=INSERTYOURCHOICE.FreeBSD.org 

*default base=/usr 

*default prefix=/usr 

~detaule nelease—cvs) rag-he LENG. 7t 

*default delete use-rel-suffix 

*default date=2009.04.22.14.08.00 

*default compress 


sec-all 
Listing 17. Running CVSup 


freebsd7# cvsup -g -L 2 /usr/local/etc/freebsd7-example.supfile 
Parsing supfile "/usr/local/etc/freebsd7-example.supfile" 
Connecting to cvsup3.FreeBSD.org 
Connected to cvsup3.FreeBSD.org 
Sekyer SOkEware versiom, SNAPL Wo in 
Negotiating file attribute support 
Exchanging Collection iamtoOrmacion 
Establishing multiplexed-mode data connection 
Running 
Updating collection src-all/cvs 
Edit src/UPDATING 
Add delta 1.507. 
7 OTs 
PO ee. 
OS 2 all ae 
SOU Meo oe ie 


wie. 
lure 


2009 01207. 200 1.55 simon 
20097 OS. 219 2 Simon 
2009025 Woe lS 56.17 -epereiva 
2009 03.25 -00200 50 -cperciva 
2009.04 5227.14.07 14 cperciva 


Add delta 


Z Z 
2 Z 
Add delita Z Z 
Z Z 


Add delta 


CO AYA WD OO SB 


i 
1 
dk 
Rady delta 
Foie she, COntnib/bind?/lib/edns/ openssidsay lime 
Adewde lta iio 221 Ie OO Ol Tonos Sime 
EOdlEe she, Contrib; bind 27 Lib/dns/copenss rsa slime 
Ado dela ied 46. le 2009 50 els 2.2 Samon 
sue CUBES Glan. 
SetAttrs Ssrc/usr.sbin/pkg installl/tkpkg,v 
Shutting down connection to server 


Finished successfully 
Listing 18. Commands to rebuild and install userland and kernel from source 


Cae Wer cre 

make buildworld 

make buildkernel KERNCONF=FREEBSD7 
make installkernel KERNCONF=FREEBSD7 
meLngeiacrer ea) 


MAKES sliasicallilgvorie ic! 





merqgemasrer 


reboot 
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Listing 19a. Demonstrating rebuilding and installing userland and kernel from source 


-# SFreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/ 
1A/ 25 (02759:29 kensmaith Exp. 
+# SFreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 
ZO0c192 56 brooks Exp Ss 

# 
=Hoorno leCbiNCivGsO... s.ENCUSY pSaligh4 sic) 07077 030; 
Charlie 67/roors/bin/csh 
TROOEN WC. On eehemites Ga/ moot: bamipcom 
t£oo0r:*:0:0::0:0:Bourne-again Superuser: /root: 
daemon:*:1:1::0:0:Owner of many system processes: 
/£OOEs/ USt/ Soin/molog in 

Operator ?* 52757 0+0ssysrem 6 / </ lsh) soin/nollogin 

CG pe 2 cia 

pop:*:638;6:°0;0: Post Oftice Owner:/nonexistent:/usr/ 
sbin/nologin 

www:*:80:80::0:0:World Wide Web Owner:/nonexistent: 
just / sbim/nologin 

nobody: *;65534:65534::70;0:;Unprivileced user;/ 
nonexistent:/usr/sbin/nologin 
-analyst:S1SFNYoY3Rk$1LVv/eHHIuLpz0OABRAAYxO/:1001:1001: 
20: 0:analyst:/home/analyst:/bin/sh 


Use 'd' to delete the temporary ./etc/master.passwd 

Use 'i' to install the temporary ./etc/master.passwd 

Use 'm' to merge the temporary and installed 
versions 


Use 'v' to view the diff results again 


Default is to leave the temporary file to deal with 
by hand 


How should I deal with this? [Leave it for later] d 
An alternative to deleting the temporary file and not 
accepting changes is to manually integrate changes to 
files. See the FreeBSD Handbook for information on 


that process. 


In the following we show sample output from the entire 


update process. 


Ereebsda?# ca /usr/sre 

freebsd/# make buiildworid 

>-> World build started on Fri Aug 21 09 71s 41 EDT 
2009 


EM bf yy ISr/ Ob let, sxe, Emp 

mkdir =p /usr/obj/usr/src/tmp/ legacy/usr/bin 
mkdir -p /usr/obj/usr/src/tmp/legacy/usr/games 
2. sedi ted... 

===> etc/sendmail (all) 


rm =-£ freebsd.cfi 


m4 "=DlCr DIR —/usir/sre/etc/ sendmail /.2/../ Contrib 
sendmail/cf/ /usr/sre/etc/sendmail/../2./ contrib/ 
sendmail/cf/m4/cf.m4 /usr/src/etc/sendmail/freebsd.mc 
o Lreebsd wor 

chmod 444 freebsd.cf 

mm =£ £reebsd.submit.cer 

m4 =D Cr DIRT —/usr/sre/etc] sendmatl/../ 2/7 cont rab 
sendmail/cf/ jusr/sre/etc/sendmail/../25/ 
contrib/sendmail/cf/m4/cf.m4 /usr/src/etc/sendmail/ 
freebsd.submit.mc > freebsd.submit.cf 


hime cue 44 iaececleselers Ulomnla na ele 


eee World build :compleved on Eri Aug 2 12734700 EDT 
2009 


freebsd7# make buildkernel KERNCONF=FREEBSD7 


eo> Kernel build Eor FREEBSD] started on Fria Aug Zl 
Is 342238 EDT 2009 
===> FREEBSD7 


mkdir =p /usr/obj/usr/ src/sys 


>>> stage 1: configuring the kernel 

..-edited... 

dy -Beharcable —-d —warn—-conmon, =o i zyd ko-debug 
deez yol. ke lvel 

ebiicopy. =-only—keep-debug LE zyd.ko.debug =i © 
ZC. KOs symooils 

Oobicopy —--strip—-debug =-add-gnu-debugiink—ir » 
ZydeKO symools lt zyd,ko.debugq it yzyd. ko 


>>> Kernel build for FREEBSD7 completed on Fri Aug 21 
esse Die OOo 


cd /usr/obj/usr/src/sys/FREEBSD7; MAKEOBJDIRPREFIX=/ 
usr/obj MACHINE ARCH=i386 

5a eC Led. ox. 

install =o root .-¢ wheel” =m 555 if (2yo0.kO-symbols 
/boot/kernel 


kil@xret  /beon, kernel 


freebsd7# mergemaster -p 
~*s* Unable EO dind meres database. Skipping auLo= 


upgrade. 
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Listing 19b. Demonstrating rebuilding and installing userland and kernel from source, continued 


**k*x Creating the temporary root environment in /var/ 
tmp/temproot 

xxx /var/tmp/temproot ready for use 

a-* Creating and populating directory SEructure im 
/var/tmp/temproot 
*** Beginning comparison 

xxx Temp ./etc/master.passwd and installed have the 
same CVS Id, deleting 

xxx Temp ./etc/group and installed have the same CVS 
Id, deleting 
***x Comparison complete 
Do you wish to delete what is left of /var/tmp/ 
temproot? [no] 

xxx /var/tmp/temproot will remain 
grep: /etc/make.conf: No such file or directory 
*x* Comparing make variables 
~t* Prom /ete/make. Cont 
**k* From /usr/src/share/examples/etc/make.conf 
freebsd7# make installworld 
mcdit =p /tip/aistall tsullaZMs 
£or prog in | awk cap mkdbo cat ‘chilags chmod chown 
date echo egqrep find grep anstall—into Im dockr 
Make mkdir meres my pwdomkdb mm sedi sh Ssyscrl cece 
Erue Uname we zic; do cp ‘which Sprog’ /timp/ 
installirsulHaM5; done 
>. edi ted.s. 
===> etc/sendmail (install) 
cd /usr/src/etc/../share/man; make makedb 
makewhatis /usr/share/man 
makewhatis /usr/share/openssl/man 
im —or /tip/ insta Vie tsuliZMs 
freebsd7# mergemaster 
~*x* Unable to find mtree database: Skipping auto= 
upgrade. 
xxx The directory specified for the temporary root 
environment, 

/var/tmp/temproot, exists. This can be a security 
rigk (IZ untrusted 
users have access to the system. 

Use 'd' to delete the old /var/tmp/temproot and 
continue 

Use 't' to select a new temporary root directory 

Use 'e' to exit mergemaster 

Default is to use /var/tmp/temproot as is 
How should I deal with this? [Use the existing /var/ 
tmp/temproot | 

**k*k Leaving /var/tmp/temproot intact 

**k*x Creating the temporary root environment in /var/ 
tmp/temproot 

xxx /var/tmp/temproot ready for use 

c~* Ceeating and popullaring Gireckory SEructure am 
/var/tmp/temproot 
mtree -eU -f /usr/src/etc/mtree/BSD.root.dist -p 
/var/tmp/temproot/ 
./obin missing (created) 


./boot missing (created) 


./boot/defaults missing (created) 

wee COIS os. 

xxx Temp ./etc/login.access and installed have the 
same CVS Id, deleting 

xxx Temp ./etc/login.conf and installed have the same 
CVS Id, deleting 

xxx Temp ./etc/mac.conf and installed have the same 


CVS Id, deleting 





*** Displaying differences between ./etc/motd and 
installed version: 
——— 9 Cro, Mord 2009-08-21) 0324915. 000000000 —0400 
T+) e/ere/ mora | 2009-06-21) 135251240 00000000 -—0400 
@@ =1,4 +1,4 @e@ 
=FreeBSD 7.1-RELEASE (GENERIC) #0: Thu Jan 1 14:37: 
25 UTC 2009 


TE RCSB SD ao ses. (UNKNOWN ) 


Welcome to FreeBSD! 
Use 'd' to delete the temporary ./etc/motd 
Use 'i' to install the temporary ./etc/motd 
Use 'm' to merge the temporary and installed 
versions 


Use 'v' to view the diff results again 


Default is to leave the temporary file to deal with 
by hand 


How should I deal with this? [Leave it for later] i 


As*  /erc/motd installed successfully 

xxx Temp ./etc/netconfig and installed have the same 
CVS Id, deleting 

xxx Temp ./etc/network.subr and installed have the 
same CVS Id, deleting 

be ECL BS sa 

xxx Temp ./.profile and installed have the same CVS 
Id, deleting 

**x*x Temp ./COPYRIGHT and installed have the same CVS 
Id, deleting 


***x Comparison complete 


xxx Saving mtree database for future upgrades 


Do you wish to delete what is left of /var/tmp/ 
temproot? [no] 


xxx /var/tmp/temproot will remain 


freebsd7# reboot 


freebsd/# uname -a 

FreeBSD freebsd7.localdomain 7.1-RELEASE-p5 FreeBSD 

(2 Rib ASh = PpoawtOs rie Aug Zi oo) eT 200" ro 
ot@freebsd7.localdomain:/usr/obj/usr/src/sys/FREEBSD7 
13060 
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Listing 20a. FreeBSD-SA-09:09.pipe security advisory 


eS lee Auk 





FreeBSD-SA-09:09.pipe 


Security Advisory 


The FreeBSD Project 


Opies Local anrormatven disclosure via 


direct pipe writes 


Cakeqory : core 

Module: kern 

Announced: Z2009=06-=10 

Credits: Pieter de Boer 

Affects: All supported versions of FreeBSD. 
Corrected: ZOOS = 06-1010. 2 Ue RE EBING a 
fo 1 ABE) 


2009-06-10 10:31:11 UTC (RELENG 7 2, 
7. 2-RELEASE-p1) 

2009-06-10 10:31:11 UTC (RELENG 7 1, 
7. 1-RELEASE-p6) 

2009-06-10 10:31:11 UTC (RELENG 6, 
6.4-STABLE) 

2009-06-10 10:31:11 UTC (RELENG 6 4, 
6. 4-RELEASE-p5) 

2009-06-10 10:31:11 UTC (RELENG 6 3, 
6. 3-RELEASE-p11) 


For general information regarding FreeBSD Security 
Advisories, 

including descriptions of the fields above, security 
branches, and the 

following sections, please visit <URL:http:// 


security.FreeBSD.org/>. 


ae Background 

One of the most commonly used forms of interprocess 
communication on FreeBSD and other UNIX-like systems 
is the (anonymous) pipes In this mechanism, a4 pair of 
file descriptors is created, and data written to one 
descriptor can be read from the other. 

FreeBSD's pipe implementation contains an optimization 
Known as “direcr writes: 9 Im this Optamizakion, 
rather than copying data into kernel memory when the 
write(2) system call is invoked and then copying the 
data again when the read(2) system call is invoked, 
the FreeBSD kernel takes advantage of virtual memory 
mapping to allow the data to be copied directly 


between processes. 


II. Problem Description 
An integer overflow in computing the set of pages 
COntamung daira tor be copied can resule im vircual=co— 


physical address lookups not being performed. 


iil. Simpace 

An unprivileged process can read pages of memory which 
belong to other processes or to the kernel. These may 
COntain information which 1S sensitive iam itself; or 
May COnNtaim passwords Or Cryptographic keys which can 
be indirectly exploited to gain sensitive information 


Oia Cees sr 


iv. Workaround 

No workaround is available, but systems without 
untrusted local users are not vulnerable. System 
administrators are reminded that even if a system is 
not intended to have untrusted local users, it may 
be possible for an attacker to exploit some other 


vulnerabilvey to Obtain Wocal user access tO a System. 


Lee SO lime won 

Perform one of the following: 

1) Upgrade your vulnerable system to 6-STABLE, or 
7-STABLE, or to the RELENG 7 2, RELENG 7 1, RELENG_ 
604, Oe RELENG YO 3 security branch Gaved Varver che 
correction date. 

2) To patch your present system: 

The following patches have been verified to apply to 
PreebobrGs3,0°6.4,) [iy end) 1.2 “systremsc 

a) Download the relevant patch from the location 
below, and verify the detached PGP signature using 
Viole PGP ulead tie ys 

# fetch http://security.FreeBSD.org/patches/SA-09: 
09/pipe.patch 

# fetch http://security.FreeBSD.org/patches/SA-09: 
09/pipe.patch.asc 

b) Apply the patch. 

# Cd /usr/sre 

# patch < /path/to/patch 

c) Recompile your kernel as described in 

<URL: http: //www.FreeBSD.org/handbook/kernelconfig.htm1> 


and reboot the system. 


VI. Correction details 
The following list contains the revision numbers of 


Sacla ills ieMeic was Corceccacd alin WieeSeeSiD-. 


CMS 
Bibamen Revision 
Pein 
RELENG 6 
src/sys/kern/sys pipe.c tebe 2s 
~, edited... 
RELENG_7 
src/sys/kern/sys pipe.c eae 
RELENG 7 2 
RO 222 A 
Ue eee elec DES 
eee See 


src/UPDATING 
src/sys/conf/newvers.sh 


Src/sys/kern/sys pipe.¢ 
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through.html). Now we are ready to 
execute the commands required to 
rebuild the system using source code. 
See Listing 18 for instructions. 

Note in the following output, that 
when asked whether to install a 
change using the i input, we usually 
answer yes. The main exception 
invovies overwriting files used for 
authentication, like /etc/passwa. In the 
event a file like that is overwritten, the 
administrator can log in at the console 
as root (with no password), and then 
manually reinstall user accounts and 
set passwords. 


Listing 20b. FreeBSD-SA-09:09.pipe security advisory 


RELENG 7 1 
src/UPDATING 
src/sys/conf/newvers.sh 


src/sys/kern/sys pipe.c 


Subversion: 


Branch/path 


stable/6/ 
releng/6.4/ 
releng/6.3/ 
stable/7/ 
releng/7.2/ 
releng/7.1/ 


VII. References 


The latest revision of this advisory is available at 


http: //security.FreeBSD.org/advisories/FreeBSD-SA-09: 


O9.pipe.asc 


Version: GnuPG v1.4.9 (FreeBSD) 


LEYEARECAAYFAkovjNOACgkQFdaIBMps37J3kXwCgmLCEMOMAET XRo 


J220zwZhMKn 
f+gAnlbZyLMhfZU7TIOxxhizwetDwMVI 
=J37B 


Listing 21. Supfile for specific CVS date 


freebsd7# cat /usr/local/etc/freebsd7-example. supfile 
*default host=INSERTYOURCHOICE.FreeBSD.org 


*default base=/usr 
*default prefix=/usr 
"detaulte reledse-evs eag-halLunG 7 i 


*default delete use-rel-suffix 


Keeping FreeBSD Up-To-Date: OS Essentials 


In the following example, we do NOT 
install the file provided by the upgrade, 
because doing so would delete our 
/etc/master.passwad file (see Listing 19). 

The system is now completely 
updated to the time specified in the 
supfile. However, the compilation date for 
the kernel shows when the kernel was 
compiled. 


Using Csup to Apply Patches 

In the last example we used the traditional 
CVSup tool to apply patches to a system. 
Most FreeBSD administrators are very 
familiar with using that tool. However, 


*default compress 


sre-all 
io Ui soo 
ie 2 Ane 
ee a 


example.supfile 


since FreeBSD 6.2, a C replacement 
called Csup by Maxime Henrion has 
been available. In this example we will 
use the new Csup tool to update the 
entire system to a specific point in time. 
For this example we will use the FreeBSD- 
SA-09:09.pipe.asc security advisory (http:/ 
/security.freebsd.org/advisories/FreeBSD- 
SA-09:09.pipe.asc) to guide our actions 
(see Listing 20a and 20b ). 

This security advisory requires a 
patch to the kernel. We could have user 
binary updates to fix this, or applied the 
security patch manually. Instead we are 
going to update the whole system to a 


~Jetaulitc dare=2009 06.10.10 .32..00 


Listing 22. CSup to a specific date 


freebsd/7# csup -g -L 2 /usr/local/etc/freebsd7- 


Parsing supfile "/usr/local/etc/freebsd7- 


example.supfile" 


Establishing multiplexed-mode data connection 


Revision Connecting to Cvsups. FreeBSD .org 
SSS SSS SSeS = Conmected to 125 3120.26 

EVOSE OS server SOkuware version, sNAP lo) Ih 
OSS. Negotiating file attribute support 
ie Se oS. hiechangiuing collection imformariLon 
ries 3 
ed OSS. Running 
ioe Sse .8 Updating collection sre=-all/cvs 


Edit src/UPDATING 


Ade sdellita 1.507. 2.13.2. 052009 0G 10210 git 


cperciva 


cperciva 


Heirs ke/ Conerl b> MEp/ MEP /MEpLCr DEO. c 
PGaedeliwa dh. Iie s eh OO Oe Ok IO sale allel 


Edit src/sys/conf/newvers.sh 


Addvdelica de (2.229 2,10) 2009 O62 LOe On sis ih epereiva 


Edit 


Beat 


src/sys/kern/sys pipe.c 
Addsdeliwa il Toh. 82220090 62 LOO Sab pereiwa 


src/sys/netinet6/in6.c 


Add cdeltavil: (3.2 24.27.27 2008-06710 0c sali epenciva 


Shutting down connection to server 


Finished successfully 


Listing 23. Uname after updating to specific date 


freebsd/7# uname -a 


FreeBSD freebsd7.localdomain 7.1-RELEASE-p6 FreeBSD 


(Ritesh po efile mr AiG Zito oe opr 2009 ro 


ot@freebsd7.localdomain:/usr/obj/usr/src/sys/FREEBSD7 


Toe 
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Listing 24. 


Available binary updates 





time when the patch was integrated into 
the FreeBSD source tree. This is Solution 
1 in the advisory. We take the time from 


Index of / the Corrected section of the advisory. 
Name Last Modified Size Type Because our system is running FreeBSD 

Parent Directory/ = Directory 71, we look for the date involving that 
5 .5-RELEASE / 2009-Jan-06 15:31:40 - Directory version of FreeBSD. 
6. O-RELEASE/ 2009 -dan-—-C06G Is 23540 — Directory 
6. I=RELEASE/ 2009-dan—O6 15.31 -40— Directory 2009-06-10 10:31:11 UTC (RELENG 7-1, 
6-2-RELEASE/ 2009- dan—06  lS.4 940) .— Directory 7.1-RELEASE-p6) 
6-3 -RalLEASE, EOS] dl oon he 1-01 Directory 
6. 4-RELEASE/ 2009-Jul-29 16:19:09 - Directory This means we can update all of the 
7.0-RELEASE/ 2009-Apr-22 13:44:47 - Directory source code on our system to a date 
ease 2009-Jan-06 15:31:40 - Directory after 2009-06-10 10:31:11 UTC to be sure 
7, 1=BETA2 / 2009-Jan-06 15:31:40 - Directory the kernel patch is applied. 
ede, 2009=dan-06 1573.40 — Directory In order to do that, we will use Csup. 
i =e 2/ 2009-Jan-07 20-16-13 — Directory We will modify our earlier supfile that 
Tol Ra hee DOC =o mlm ie oe Directory controls how Csup operates. 
eae 2009-Apr-01 17:44:28 - Directory We set the date to be in the minute 
eRe de, 2009-Apr-22 14:00:51 - Directory after the correction time noted earlier. 
7. 2=RC2/ 2009-Apr-24 12:13:42 - Directory Now we are ready to use Csup to 
7 O- RELEASE / DOCS sul=o os Pees G Directory update our source tree (see Listing 22). 
8.0-BETA1/ 2005 aul=30 6-04.42 — Directory Now we can follow the same 
8 .0-BETA2 / 2009-Jul-30 06:04:51 - Directory process as seen in the previous example 
8 .0-BETA3/ 2009-Aug-23 21:25:58 - Directory (see Listing 18). 
co? ei -Re tench, 00S dante is 3-0 Directory After rebooting, you see the new 
= 72 =e aaa D00S=tor Oli) 138-06 — Directory version of the FreeBSD kernel is installed 
COT enc 2009-Apr-16 15:20:25 - Directory (along with the userland). 
tO-7,2=RC2/ 2009-Apr-24 12:04:41 - Directory As you can see, Csup is functionally 
to-7.2-RELEASE/  2009-May-02 17:45:12 - Directory equivalent to CVSup, and Csup is 
to-8.0-BETA1/ 2005 sulle Ole 06-24 — Directory packaged with the FreeBSD OS. 
to-8.0-BETA2/ 2009-dul-17 19:08:49 = Directory 
to-8.0-BETA3/ 2009-Aug-23 22:04:57 - Directory FreeBSD 


200 = Jie, oe AiG eG 
PVOS=hug—2 35 22756525 1. 5G 
2009=Jul=30 06:32:07 13.9M application/x—-tar 


80BETA2.tar Update's Available Versions 

In the first section of this paper we saw 
FreeBSD Update used to keep a FreeBSD 
72 system up-to-date. If you need to 
understand what sort of updates or 
upgrades are available for FreeBSD using 
freebsd-update, you can manually inspect 
one of the update sites. At the time of 
writing, visiting http://update2.freebsd.org 
displayed the following (see Listing 24). 

Take the 72-RELEASE/ directory as 
an example. This means that FreeBSD 
Upgrade knows how ito. start with 
FreeBSD 72 RELEASE (as we started 
the article) and update or upgrade to the 
to- directories. FreeBSD Update does not 
have the capability to update from 4.x, 
for example, or from any STABLE version 
(e.g.,, 22-STABLE). 

For example, if you tried to use 
FreeBSD Upgrade to update a 7.2-STABLE 
system, it will fail (see Listing 25). 

If you are having trouble using 
FreeBSD Update, it's helpful to activate 
the ’-v debug’ switch to see what is 
happening. 


applacatk Lon/ x =rar 
S0BETA3 [tar apolucation; xX-rar 


updates.tar 


Listing 25. Uname output for 7-STABLE and Failed FreeBSD Update for STABLE 


fbsd71ltoS# uname -a 

FreeBSD fbsd71toS.taosecurity.com 7.2-STABLE FreeBSD 7.2-STABLE #0: Sat 
Aug 22 23202230 EDT 2009 rool@tbsd/liLos. tacsecurity.com:/usr/obj/usr/ 
SCs ys/ PRENBOD/ 1366 

fbsd71ltoS# freebsd-update -v debug fetch 
Looking up updace.FreeBsD.org mirrors... 3 marrors found: 
Fetching public key from update5.FreeBSD.org... fetch: http:// 
update5.FreeBSD.org/7.2-STABLE/i386/pub.ssl: Not Found 


failed. 


Listing 26. Supfile for FreeBSD 7.2 


*default host=INSERTYOURCHOICE.FreeBSD.org 
*default base=/usr 

*default prefix=/usr 

“detailer welease—evs. Pag-halLENG / 270 
*default delete use-rel-suffiix 

*default compress 


src-all 
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Listing 27a. FreeBSD Update from 7.1 to 7.2 


freebsd7# freebsd-update upgrade -r 7.2-RELEASE 
Locking up Updare. FreeBSD org mirrors... 3 mirrors found. 
Fetching public key from update4.FreeBSD.org... done. 


Fetching metadata signature for 7.1-RELEASE from 


update4.FreeBSD.org... done. 
Fetching metadata index... done. 
Fetching 2 metadata files... done. 
Inspecting system... done. 


The following components of FreeBSD seem to be 
installed: 

kernel/generic src/base src/bin src/cddl src/contrib 
Sre/ Crypto sre/ekc 

Sre/games sre/qnu sre/ include \src/krb> src/ lib sre/ 
libexec src/release 

src/rescue src/sbin src/secure src/share src/sys src/ 
Pools sec/ubin 

src/usbin world/base world/dict world/doc world/games 
world/info 

world/manpages world/proflibs 

The following components of FreeBSD do not seem to be 
installed: 

world/catpages 

Does this look reasonable (y/n)? y 

Fetching metadata signature for 7.2-RELEASE from 
update4.FreeBSD.org... done. 

Fetching metadata index... done. 


Fetching 1 metadata patches. done. 


Applying metadata patches... done. 

Fetching 1 metadata files... done. 

Inspecting system... done. 

Fetching files from 7.1-RELEASE for merging... done. 

Preparing to download files... done. 

Fetching S0059 parechess 7. 1. ae eee) eecey Oa ee ane PHO gc cco 
Ov earnme Ole eon: a0 Seas 

s. peCdLLed. .: 


ni ZO OO eee OOO. 2 OOO 22 OO ee 24S Oe AO) 
an 2 OA DO Gr a2 AOU Oey Ole OMe. 


Applying patches... done. 
Fecching 2273 miles... done. 
Attempting to automatically merge changes in files... done. 


The following changes, which occurred between FreeBSD 
(| een ASE samc 
FreeBSD 7.2-RELEASE have been merged into /etc/group: 
=—— (Current, version 
+++ new version 

CC cera cid 
=# SFreepsh: sre/ete/group;,v 1.35.6.1 2008711725 02: 
59:29 kensmich Exp Ss 
tH SP reebob: sre/etc/group;v 1.35.8.1 2009704715 03: 
14:26 kensmith Exp S 

# 

wheels * 20: root, analyse 

daemon: 43 1: 

kmem:*:2: 

Svsu 1 a: 


Does this look reasonable (y/n)? y 


The following changes, which occurred between FreeBSD 
7. RELEASE and 
FreeBSD 7.2-RELEASE have been merged into /etc/ 
master.passwd: 
=> Current: Versvon 
+++ new version 
CG e ems soma 
-# SFreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/ 
11/25 (02:59:29 kKensmith Exp 3 
+# SFreeBSD: src/etc/master.passwd,v 1.40.20.1 2009/ 
04715 03:14:26 Kensmith Exp $ 
# 
POOEs> lSxy 7 mnCDHUSPEOCCNGRIr99CTROdEBWOO:0=0: 20-0: 
Charlie &+/ root; /ban/cosh 
£oor; *:0:30::0:0:Bourne-again Superuser:/ rook: 
daemon:*:1:1::0:0:Owner of many system processes: 
(/©OGkt/ USt/ Sbin/nologin 
G@perators* +275; 50; 0sSystem 6:/:/usr/ sbain/nologin 
Does this look reasonable (y/n)? y 
The following changes, which occurred between FreeBSD 
7.1-RELEASE and 
FreeBSD 7.2-RELEASE have been merged into /etc/passwd: 
=== Curren: Vers vom 
+++ new version 
ie Sie sell. (ele 
-# SFreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/ 
d17/25 029759229 kKenemith Exp 3 
+# SFreeBSD: src/etc/master.passwd,v 1.40.20.1 2009/ 
047/15 03514:26 Kensmith Exp Ss 
# 
BOOEs +: O20; Charlies <7 VOOks/ bun/icsah 
toor:*:0:0:Bourne-again Superuser:/root: 
daemon:*:1:1:Owner of many system processes:/root: 
fusr/sbin/nologin 
Operators* 7275:System &:/:/usr/ sbin/no login 
Does this look reasonable (y/n)? y 
The following files will be removed as part of updating 
WO Ge Za Neile lh dans yd ee) 
/BOor/ Kerme ly ath Wel -=ke 
wo COLTSd os % 
{wet /SeC/sys/ vm/ vm paged .c 
The following files will be added as part of updating 
BO 7.2 -RE iia ap ois 
/boot/kernel/cpuctl.ko 
ee eedl Ged sis 
fust/sre/usr-sbin/makers/walk.c 
The following files will be updated as part of updating 
EOnv. 2 high Ae hoe 
pes iice 
/.profile 
/COPYRIGHT 
oy sel bed 65 « 
/var/yp/Makefile.dist 
freebsd/# freebsd-update install 
installing, updates... 


Kernel updates have been installed. Please reboot and 


www.bsdmag.org 19 





20 


get started 


FreeBSD Update to Upgrade 
from One Minor Version to 
Another 

You've seen how CVSup and Csup can 
be used to update the OS and userland 
according to the tags in a supfile. You 
could easily continue this process if you 
wished to upgrade from FreeBSD 71 
to FreeBSD 72 RELEASE. For example, 
your supfile would say the following (see 
Listing 26). 

Notice we removed the date tag seen 
earlier. We also changed the release tag 
to indicate RELENG_7_2_0, which would 
be the same FreeBSD 72 shipped on 
CD. 

It would make more sense to use 
RELENG_7_2 so the new system would 
be tracking the security branch. 


12 UII) 


installing updates. 

freebsd7# reboot 

freebsd7# freebsd-update install 
Installing updates...done. 


freebsd/7# uname -a 


sys/GENERIC i386 


Listing 28. Supfile for FreeBSD 7-STABLE 


*default base=/usr 

*default prefix=/usr 

~derdul: rellease—eve tag-RELENG 7 
*default delete use-rel-suffix 
*default compress 


sie—all 
Listing 29. Uname output for FreeBSD 7-STABLE 


freebsd/7# uname -a 


kernel 


fosd71toS# uname -a 





FreeBSD freebsd7.localdomain 7.2-RELEASE-p2 FreeBSD 


root@i386-builder.daemonology.net:/usr/obj/usr/src/ 


*default host=INSERTYOURCHOICE.FreeBSD.org 


FreeBSD freebsd7.localdomain 7.2-STABLE FreeBSD 7.2- 
STABLE, #27. a0 Aug 22 17212742 fpr 2009 
7, localdomain:/USE/ Ob] /USL/ SEC/SVS/FREEBSD/ 1386 


Listing 30. Uname for system running FreeBSD 7-STABLE with desired 


FreeBSD fbsd71toS.taosecurity.com 7.2-STABLE FreeBSD 
7, 2-STABLE #0; Sat Aug 22 23202:30 EDr 2009 
SQ/1£0S.taosecurity.com:/USL/OD7/ USL/SLC/SVS/ FREEBSD / 


It would be convenient if we could use 
binary upgrades via FreeBSD Update. It 
turns out that in this situation, we can do 
so. These are the basic commands: 


freebsd-update upgrade -r 7.2-RELEASE 
freebsd-update install 
reboot 


freebsd-update install 


Note that this process requires plenty of 
free space in the /var partition. If you 
have more free space elsewhere (say 
in /usr), you can specific an alternative 
work directory for freebsd-update using 
the -a switch, e.g., 


freebsd-update -d /usr/db/freebsd- 
update upgrade -r 7.2-RELEASE 


Listing 27b. FreeBSD Update from 7.1 to 7.2, continued 


L380 


W/ust/sbiny freebsd-update install” again €o finish 


Ensure the specified directory exists 
before starting FreeBSD Update. 

In the following example, we upgrade 
our FreeBSD 7.1 system to FreeBSD 72 
using FreeBSD Update. FreeBSD Update 
will upgrade the system to the latest 
point in the security branch. 

As you can see, we used FreeBSD 
Update to bring our FreeBSD 71 system 
to the latest security update for FreeBSD 
72. Notice we are running a GENERIC 
kernel again (see Listings 27a and 27b). 


STABLE: The End of the Line 
for a Single Version 

The end of the line in the FreeBSD 7x tree is 
72-STABLE. The STABLE tree incorporates 
not only bug fixes and security patches, 
but upgrades that are Merged From 


Listing 31. Uname for system that needs to update its kernel 


freebsd7/S# uname -a 


FreeBSD freebsd7S.taosecurity.com 7.2-STABLE FreeBSD 


Te2-SlABLE gee ae Aug 22 1/7125 42 epr 2009 


7, 2-RELEBASHE=p2 40s Wed vun 24° 0025/2442 UTC 2009 


root@fre 


ebsd7.localdomain:/usr/obj/usr/sre/sys/FREEBSD/ 13866 


Listing 32. Mounting remote /usr/src and /usr/obj using NFS 


hreeosadl Se Mounts =e Set 72.1621 5421302 /usr Sra (ust 


(Slee 


Ob7 


freebsd7S# mount 


freebsd/S# mount =—G mis 172,.16.134,.1307/usr/ob, /usz7 


/dev/ad0sla on / (ufs, local) 

devfs on /dev (devfs, local) 

/dev/ad0slf on /home (ufs, local, soft-updates) 
/dev/ad0slg on /tmp (ufs, local, soft-updates) 
/dev/ad0sld on /usr (ufs, local, soft-updates) 
/dev/ad0sle on /var (ufs, local, soft-updates) 
WZ Ge ls421e0s/usr/sre om /usr/ sre (nis) 

172 U6 ea. a0 nen /elog (Om 7 ust) Obj (mrs) 


root@freebsd 


Listing 33. Supfile for CURRENT 


*default host=INSERTYOURCHOICE.FreeBSD.org 


“Getrauie base=/ weir 


*default prefix=/usr 


*default release=cvs tag=. 


root@fb *default compress 
see—al 
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*default delete use-rel-suffix 


CURRENT (aka MFC’d). STABLE is a 
constantly moving target, marked only by 
the date and time that an administrator 
uses CVSup to sync with the STABLE tree. 
For this reason, security advisories, such 
as FreeBSD-SA-09:12.bind, will list the 
date and time at which a STABLE branch 
incorporates a security fix: 

Corrected: 2009-0 1-26 25259522 UTC 


(RELENG 7, 7.2-STABLE) 


lf your STABLE is older than the date 
specified, your system is vulnerable. 
Compare that method of gauging a 
system’s exposure to the patch level of 
running the security branch. From the 
same advisory: 


2009-07-29 00:14:14 UTC 
(RELENG 7 2, 7.2-RELEASE-p3) 

Here we also have a timestamp, but it’s 
easier to see that 72-RELEASE-p3 is 
patched for the bind vulnerability. 

For demonstration purposes, we will 
upgrade our FreeBSD 72-RELEASE-p2 
system to STABLE by modifying our supfile 
with these contents (see Listing 28). 

Next we follow the commands 
introduced earlier to upgrade to /72- 
STABLE. Begin with: 


csup -g -L 2 /usr/local/etc/freebsd7- 


example.supfile 


Then continue by using a new copy of the 
GENERIC kernel configuration file. There 
may be changes introduced in STABLE 
that are not reflected in your own kernel 
configuration file. 


cp /usr/src/sys/i386/conf/GENERIC 
j/usr/src/sys/i1386/conft/ FREEBSD] 


Now we follow the commands we've 
seen earlier (see Listing 18). 

When done you will be running FreeBSD 
72-STABLE. When done our uname output 
appears as follows (see Listing 29). 

Notice the output says 72-STABLE, 
although the CVS tag used was /_ 
RELENG. 


Building a Userland and Kernel 
on One System and Installing 
on Another 

In the following example, we will show 
how to install the userland and kernel 
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built on one system onto a second 
system. The server with the desired 
userland and kernel is fosd/1toS, or 
172.16.134.130 (see Listing 30). 

Since we are using NFS, the server 
has the following IN /etc/rc.conf. 


epcbind enable="VYES" 


nis Server enable="TEo" 


The server also has the following /etc/ 
exports file. 


fbosd71toS# cat /etc/exports 


jusr -alldirs 


The client that will receive the new 
userland and kernel is freebsd7S (see 
Listing 31). The client has the following in 


fetes rec cont. 


nis client enable="YES" 


”) Index of / - Mozilla Firefox 
File Edit 


a yC X @& 


Bi Index of / 





Index of / 


e 5.5-RELEASE/ 
@ 6.0-RELEASE/ 
e 6. 1-RELEASE/ 
e 6.2-RELEASE/ 
e 6. 3-RELEASE/ 
e 6.4-RELEASE/ 
e 7 0-RELEASE/ 
e 7.1-RELEASE/ 
e 7.2-BETAI/ 

e 7.2-RCI/ 

e 7,.2-RC2/ 

e 7.2-RELEASE/ 
e 8.0-BETAI1/ 

e $.0-BETA2/ 

e 8.0-BETA3/ 
6.0-BETA4/ 
to-7.1-RELEASE/ 
to-7.2-RELEASE/ 
to-8.0-BETA1/ 
to-8.0-BETA2/ 
to-8.0-BETA3/ 
to-8.0-BETA4/ 





Figure 3. FreeBSD binary updates 
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First we mount /usr/srec ANd /usr/ob; from 
the server to the client using NFS (see Listing 
32). Make sure we are now in /usr/src. 


freebsd7S# cd /usr/src 


At this point we can follow the instructions 
we saw earlier, starting as shown. 


make installkernel KERNCONF=FREEBSD7 
mergqemaster —p 
make installworld 


mergemaster 
Before reboot | umount the NFS mounts. 


freebsd7S# pwd 

/root 

freebsd7S# umount /usr/ports 
freebsd7S# umount /usr/src 
freebsd7S# umount /usr/obj 


reboot 


Help 


|) http:ffupdates.freebsd.orgf fy > 


~ | 








S  209.193.13.98 
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Listing 34a. FreeBSD Update from 7.1 to 8.0-BETA3 


fbsd71-to-8# uname -a 

HEeebsD. EDsd7y1—Lo-—o.racsecuriry,com 7, 1 -RELEASE 
PreeBoD 7. 1/=RELEASE. #07 Thu van 2 14937225 UTC 2009 
root@logan.csé.buffalo.edu:/usr/obj/usr/src/sys/ 
GENERIC i386 

tssd(l=tos87 Sseveav Hille ROW hore: 7/71 72.1622 175126 
fbsd71-to-8# freebsd-update upgrade -r 8.0-BETA3 


Looking Up update. breeBsD org mirrors... 3 mirrors 
LOume. 
Fetching public key from update5.FreeBSD.org... done. 


Fetching metadata signature for 7.1-RELEASE from 


updates. FreeBSD. org... done. 
Fetching metadata index... done. 
Fetching 2 metadata files... done. 
Inspecting system... done. 


The following components of FreeBSD seem to be 
installed: 

kernel/generic world/base world/dict world/doc world/ 
games world/info 

world/manpages 

The following components of FreeBSD do not seem to be 
installed: 

sue/base Ssre/bin src7 cddll sre/ contrib src/cryoto src/ 
etc src/games 

Src/gnu sre/include  sre/kro> src/ lib) src/libexec src/ 
release src/rescue 

sre/ shane sme/ secure sre/sitane Ssre/sys sirc/ tools sro/ 
Mbin sre/ usin 

world/catpages world/proflibs 

Does this look reasonable (y/n)? y 

Fetching metadata signature for 8.0-BETA3 from 
update5.FreeBSD.org... done. 

Fetching metadata index... done. 


Fetching 1 metadata patches. done. 


Applying metadata patches... done. 

Fetching 1 metadata files... done. 

Inspecting system... done. 

Fetching files from 7.1-RELEASE for merging... done. 


Preparing Lo download tiles. ... 
+. ,edited... 
9320 is OO U ae OOF Ot 3 0 BOONE. 
Applying patches... done. 
Fetching 750 files... done. 
Attempting to automatically merge changes in files... 
done. 
The following changes, which occurred between FreeBSD 
7; RELEASE, and 
FreeBSD 8.0-BETA3 have been merged into /etc/group: 
== CUurcrenis Vers LOM 
+++ new version 
CIS or GG 
=# SFreepsD: sre/etc/group,v 1.35.6.1 2008711725 02: 
59°29 kKensmith Exp 3 
+e SFECCRSDs sre/ecc/group,v 1.35,10.,1 2009708703 08: 
13°06 Kensmith Exp % 
# 


wheel:*:0:root,analyst 
Gaemoms «21h: 
kmem: *:2: 
Suisicus os 
Does this look reasonable (y/n)? y 
The following changes, which occurred between FreeBSD 
77) -Re ni Aok and 
FreeBSD 8.0-BETA3 have been merged into /etc/ 
master.passwd: 
=== CUrPreEnE Versi1onm 
+++ new version 
Ger =, 6 +15) 6 Ge 
-# SFreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/ 
42/25 02259:29 kensmith Exp = 
+# SFreeBSD: src/etc/master.passwd,v 1.40.22.1 2009/ 
08703 08213206 kensmith Exp $ 
# 
KoourSlSkreoUpbPPsSssOAlLOcpsiglLx9tOVgsal:0:.0370:0% 
Charlie G:/root;/bin/csnh 
toore* 3070220: 0sBourne-again Superuser:/ FOO; 
daemon:*:1:1::0:0:Owner of many system processes: 
/eCor:/ust, sbin/ nollogim 
Operetors*+:2:5:3-0-0:System &£3/:/usr/sbin/nologin 
Does this look reasonable (y/n)? y 
The following changes, which occurred between FreeBSD 
GS SNP eves ia, reliaKel 
FreeBSD 8.0-BETA3 have been merged into /etc/passwd: 
=== CUrrenE Version 
+++ new version 
Ce Ses ails ts (le 
-# SFreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/ 
D125 02259229 Kensmith Exp 3 
+# SFreeBSD: src/etc/master.passwd,v 1.40.22.1 2009/ 
06703) 08-13206 kensmith Exp > 
# 
LOOrs sO; Us Charlie oe/ root: bianco 
toor:*:0:0:Bourne=-again Superuser: / root: 
daemon:*:1:1:Owner of many system processes:/root: 
/usn/soiny/ nolegin 
Operator: +255 ;System &:/2/usr/ sbin/nologin 
Does this look reasonable (y/n)? y 
The following files will be removed as part of updating 
tO- On 0=-BEtAS= D0: 
/ boot) kernel /ath hale ke 
/bnoot/kernel/ath hal.ko.symbols 
/boot/kernel/ath rate.ko 
pr ecdieed yan 
The following files will be added as part of updating 
nO on) BE tAS p04 
/DOOt/ GpEzZEsboot 
/boot/kernel/accf dns.ko 
+e eCdiced... 
The following files will be updated as part of updating 
hoo.) - Bias pls 
comune 


/ .profile 
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When done we check the uname output 
on the client to see that it matches the 
server from whom it received its kernel 
and userland. 

That kernel matches the one on the 
server, SO we just successfully installed 
a userland and kernel built on fosd71toS 
onto a client, freebsd 7. 


What Comes Next? 

Beyond SIABLE comes CURRENT, or 
HEAD, or tag=. in a supfile. CURRENT 
represents the next version of FreeBSD. 
For example, while FreeBSD Zx is the 
STABLE version, CURRENT is’ being 
prepared as FreeBSD 8.0. At the time 
of writing, FreeBSD 8.0 is currently in 
BETA. Although testing the next version 
of FreeBSD is encouraged in order to 
Support the project and to ensure it works 
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on your platforms, | do not recommened 
running CURRENT in production. 

One could use CVSup or Csup to 
update to CURRENT using the following 
supfile (see Listing 33). 

However, when | want to try CURRENT, 
| prefer to start with a snapshot (http: 
//wwwreebsd.org/snapshots/) and either 
use the snapshot or CVSup to CURRENT 
from the snapshot. A snapshot is a version 
of FreeBSD from various branches. For 
example, at the time of writing, snapshots 
for FreeBSD 6.4-STABLE, 72-STABLE, and 
8.0-CURRENT are posted. 


Upgrading from One Major 
Version to Another Major 
Version Using FreeBSD Update 
In the final example for this article, | 
will show how to use binary upgrades 


Listing 34b. FreeBSD Update from 7.1 to 8.0-BETA3, continued 


/COPYRIGHT 
««eCdLted:. .< 
/var/named/etc/namedb/named. root 


/var/yp/Makefile.dist 


fbsd71-to-8# freebsd-update install 
installing wupdakes. 2. 


Kernel updates have been installed. 


Please reboot and run 


"/usr/sbin/freebsd-update install" again to finish installing updates. 


fbsd7/71-to-8# reboot 


fbsd71-to-8# freebsd-update install 
installing updates... % 


Completing this upgrade requires removing old shared object files. 


Please rebuild all installed 3rd party software 


installed from the ports tree) 
incre 


again tO tinish anstalling updates « 


Losdd l=to=07 PKG 1m to 
cmdwak chi O 72. Oil 
ineeryais 
screen—4.0-3 6 


fosd7/l—-to-84% ca /var/db/ pra 


(e.g., programs 


and then run "/usr/sbin/freebsd-update 


Watches the output from a command at specified 


A multi-screen window manager 


fosd71-to-8# pkg delete cmdwatch-0.2.0 i/ 


fbsd71-to-8# pkg delete screen-4.0.3 6/ 


fbsd7/1-to-8# reboot 


fbosd71-to-8# uname -a 


EreeBsSD fthsd/l=to=8.tacsecurity.com @.0-=BETA3 FreeBSD ¢6.0-BETAS #0: Sat 


Aug 22°02. 36:50 UTC 2009 


SEC/SyYS/GENERIC 1386 


root@almeida.cse.buffalo.edu:/usr/obj/usr/ 
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via FreeBSD update to upgrade from 
FreeBSD 71 RELEASE to FreeBSD 8.0 
BETAS. | follow the instructions posted 
in the announcement for BETAS (http: 
//lists.freebsd.org/pipermail/freebsd- 
stable/2009-August/051628.html). By 
setting a proxy we can have the proxy 
provide copies of the updates to similar 
systems that might also need to perform 
the upgrade, as well as simply use a 
proxy to reach the Internet. 

PLEASE NOTE that you should follow 
the instructions provided in any release 
announcement and not just those in this 
document. For example, the test system 
used in this article only has cmdwatch 
and screen installed. This is NOT typical 
of a production system. It is trivial for me 
to manually uninstall these applications 
compiled for 7x and reinstall the latest 
versions compiled for 8.x. Therefore, | do 
not show those steps here. 

The official documentation describes 
ways to handle applications installed as 
packages or using the ports tree. 

This can take a long time, especially 
at the Inspecting system.. stages (see 
Listings 34a and 34b). 

Thats it - were running FreeBSD 
8.0 BETAS! We would have to reinstall 
our applications, which is covered in 
my related article on Keeping FreeBSD 
Applications Up-To-Date. 

For reference, the install prior to 
the first reboot installs the new kernel. 
The ‘install? after the first reboot installs 
the new userland. The install after the 
second reboot removes any old libraries 
used by applications that we removed 
(ie, cmdwatch and screen). 


Conclusion 

| hope this article has helped you 
understand the different ways to keep 
a FreeBSD system up-to-date’ with 
security advisories. It is by no means 
comprehensive, but by following it you 
hopefully can judge the different ways to 
keep your system in sync with the latest 
security patches and fixes for FreeBSD. 


D 
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FreeBSD 8.0 RC' 


The version included on the DVD is the 8.0-RC1 and not 8.0-RELEASE. 


Please see below for update instructions. 





available. To use this tool, run: 


# freebsd-update install 
# shutdown -r now 


# freebsd-update install 


RELEASE. 





The FreeBSD Update tool can be used to upgrade from FreeBSD 8.0-RC1 to FreeBSD 8.0-RELEASE once it becomes 

# freebsd-update upgrade -r 8.0-RELEASE 

as root and follow the prompts; you may be asked to confirm that some system configuration files have been correctly 
updated. This will fetch and verify the files required to upgrade to 8.0-RELEASE. Next, run 


to install updates to the FreeBSD kernel and reboot; after rebooting, run 


a second time, at which point non-kernel updates will be installed, leaving you with a system running FreeBSD 8.0- 








What is FreeBSD? 

FreeBSD is an advanced operating 
system for x86 compatible (including 
Pentium and Athlon), amd64 compatible 
(including Opteron, Athlon64, and 
EM64T), ARM, IA-64, PowerPC, PC-98 
and UltraSPARC architectures. It is 
derived from BSD, the version of UNIX 
developed at the University of California, 
Berkeley. It is developed and maintained 
by a large team of individuals. Additional 
platforms are in various stages of 
development. 


Cutting edge features 

FreeBSD offers advanced networking, 
performance, security and compatibility 
features today which are still missing 
in other operating systems, even some 
of the best commercial ones. Visit http: 
//www.freebsd.org/features.html to find 
out more. 


Powerful Internet solutions 
FreeBSD makes an ideal Internet or 
Intranet server. It provides robust network 
services under the heaviest loads and 
uses memory efficiently to maintain 
good response times for thousands of 
simultaneous user processes. 


Advanced Embedded Platform 


From mail and web appliances to 
routers, time servers, and wireless 
access points, vendors around the 
world rely on FreeBSD’s integrated 
build and cross-build environments and 
advanced features as the foundation 


for their embedded products. And the 
Berkeley open source license lets them 
decide how many of their local changes 
they want to contribute back. 


Run a huge number of 
applications 

With over 20,000 _ ported libraries 
and applications, FreeBSD supports 
applications for desktop, server, appliance, 
and embedded environments. 


Easy to install 

FreeBSD can be installed from a variety 
of media including CD-ROM, DVD, or 
directly over the network using FTP or NES. 
Get directions from www.freebsd.org. 


FreeBSD is free 

While you~ might 
expect an operating 
system with these 
features to sell for a 
high price, FreeBSD 
is available free of 
charge and comes 
with full source code. 


Contributing to 
FreeBSD 

It is easy to contribute 
to FreeBSD. All you 
need to do is find a part 
of FreeBSD which you 
think could be improved 
and make those changes 
(carefully and cleanly) and 
submit that back to the Project by 
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means of send-pr or a committer, if you 
know one. This could be anything from 
documentation to artwork to source code. 
See the Contributing to FreeBSD article 
at http://www.freebsd.org/about.html for 
more information. 

Even if you are not a programmer, 
there are other ways to contribute to 
FreeBSD. The FreeBSD Foundation is a 
non-profit organization for which direct 
contributions are fully tax deductible. 
Please contact board@FreeBSDFounda 
tion.org for more information or write to: 
The FreeBSD Foundation, PO. Box 20247, 
Boulder, CO 80308, USA. 



















If the DVD content cannot be accessed and the disc is not damaged, try to 
run it on at least two DVD-ROMs. 









If you have encountered any problems with the DVD, please write to: cd@software.com.pl 
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@ get started 


Using BSD 


for your Studies 





Edd Barrett 


About four years ago | was starting my undergraduate computing degree. | knew that 
UNIX-like operating systems had proven themselves in the server room, but how 


would they fare in the lecture theatre? 


t the time that | started studying, | had already been 

using OpenBSD for a couple of years, but was 

curious as to whether it was going to be feasible 

as an everyday study aid. In this informal and non- 
technical article | hope to share my findings and highlight 
some tools | found useful for my degree. 


Introduction 

Academic computing boils down to three categories of tasks: 
coding, documenting and diagramming, each of which | 
found to require different specialised tools greatly depending 
upon the nature of the task. Why did | need so many tools? A 
modern computing degree is likely to comprise of a diverse 
range of subjects, usually including units for object oriented 
programming, web-based programming, software engineering 
techniques, relational databases, networking and possibly 
computer law/ethics. Let's take a look at what free software 
has to offer your BSD workstation with regards to these subject 
areas. 


Coding 

In terms of programming languages, a BSD user is spoilt for 
choice. Take a look at your package collection and you will find 
a huge selection of programming and scripting languages at 
your disposal. My University primarily taught using the Java 
programming language from Sun Microsystems (as many 
Universities now do). Initially for a BSD user, this was quite 
awkward as Sun were very particular about how Java could 
be distributed and no binary packages were available for quite 
some time. Recently however, the OpenJDK project has been 
ported to OpenBSD (in ports under devel/jdk), allowing Java 
to be installed by simply using ‘pkg ada’. | must admit that | 
tended to choose C or C++ over Java if possible, as the com- 
pilers (gcc and g++) are a part of the base install. 


Other languages were also a breeze to install. PHP (www/ 
ohp5) could be used with the in-base apache web server ship- 
ping with OpenBSD for the web-based unit. | also found myself 
using several other scripting languages including Ruby (lang/ 
ruby) and Python (lang/python) for various other tasks. 

Next you can start looking into a text editor or IDE to ac- 
tually write some code with. | think students are pretty much 
free to do as they please here and | am sure most computing 
students will already have a favourite text editor. | pretty much 
exclusively used Vim (editors/vim) for coding and found it to 
be mostly excellent for this purpose. A lot of my course-mates 
liked to use eclipse (devel/eclipse) for Java development for it’s 
code completion features and one of my lecturers (who even 
ran OpenBSD on his laptop) swore by Nedit (editors/nedit). 
Ultimately text editors are vastly down to personal choice, so | 
couldn't say any editor is the best My advice here is to go and 
play until you find one you like. 

So now we have everything we need to start hacking 
out some code, but there’s some other tools you might wish 
to use. | went further by using source control. A bit overkill, 
some might say (for a single developer project), however 
| found these tools essential. For those unfamiliar with the 
term source contro! (or sometimes version control or source 
code management), this term relates to tracking changes in 
a software project. So why would you want to do that? Ever 
found yourself in a Where did | get to again? or a What have | 
changed that broke that? situation? 

Well tools such as (but not limited to) CVS (in base install) 
or subversion (devel/subversion) can help answer those ques- 
tions. Also if your source control server is separate from your 
workstation, a code checkout acts as a poor man’s backup. 
Once you have lost a large portion of code once, for example, 
the bit you stayed up all night last night implementing; You will 
see why backups are useful. To complement source control, | 
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recommend the Trac software package 
(www/trac), which comes with a source 
control browser, bug tracker and wiki. 
Very useful indeed. 


Writing Documentation 
The next major task, and probably the 
most significant in any degree, is the 


task of producing write-ups. At your 
disposal here are two classes of soft- 
ware: word processors and typesetters. 
| am sure you are all familiar with the 
concept of a word processor, sO we 
probably don’t need a detailed discus- 
sion. For word processing, the popular 
choice amongst free software users at 
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Figure 2. Bouml makes tidy UML diagrams for your write-ups. 


www.bsdmag.org 


Using BSD for your Studies 


my Uni was OpenOffice Writer (editors/ 
openoffice), which is a fully featured 
word processing package offering an 
interface not dissimilar to Microsoft 
Word. Other word processors you 
may wish to try are AbiWord (editors/ 
abiword) and Kword (x11/kde/office3). 
At the other end of the spectrum are 
typesetters, which take an entirely differ- 
ent approach to document generation. 
With a typesetter you write your docu- 
ment in a mark-up language which is 
then compiled into a viewable document. 
During the first year of my course | dis- 
covered the LOT X typesetter and used 
it ever since for all of my assignments. 
Some fellow students also picked up 
LOT eX and found it practical too, but oth- 
ers disliked writing documents in mark- 
up. Think of it like Marmite; you either love 
it or you hate it, so try for yourself (print/ 
texlive). Personally | like it because: 


The results look elegant and 
professional. 
It is easily imported into source 


control because the input format is 
textual. 

Source code listings can be directly 
included by file name rather than 
with copy and paste (and again 
when the source changes). 


Drawing Diagrams 

Academics’ really love to_ invent 
diagram notations. After half a year 
of University life you will find yourself 
knee deep in all kinds of types of 
diagrams. | could never cover them all 
in this short article, but what | can do 
is briefly cover the main ones which 
a computing student is likely to need 
to know. 

The most complete generic diagram 
drawing program that | found was dia 
(graphics/dia). It is not dissimilar to 
Microsoft Visio and can be used for 
entity relationship diagrams, flow charts, 
logical network diagrams and much 
more, however you will often find that 
specialist tools can achieve better results 
(if they exist). 

Probably the most commonly 
used diagram for academic software 
development is the Unified Modelling 
Language (UML) class diagram. A 
bunch of people at the Object Model 
Group (OMG) devised a set diagrams 
which could be used to visually model 
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aspects of software projects. The UML 
class diagram is commonly used to 
model relationships between classes 
in object oriented languages like Java 
and C++. My personal choice for such 
a diagram is Bouml (devel/boumll), 
which can model many different UML 
diagrams and also output SVG/PNG 
graphics for inclusion in your write- 
ups. The user interface is a little quirky 
at first, but once you get used to it, 
you can slap up class diagrams very 
quickly and neatly. 

For flow charts and control flow 
graphs, | found the best option to be 
graphviz (math/graphviz). Like LOT eX, 
graphviz uses a markup language which 
is compiled. One valuable realisation that 
| made during my studies, is that one of 
the benefits of these text based mark-up 
languages is that they are easily auto- 
generated by other pieces of software. 
Using for example the classic computer 
science off you go and implement a 
linked list task; whilst you are travers- 
ing your linked list, you could generate 
graphviz code. The code when compiled 
could generate a directed graph, show- 
ing the nodes of your linked list, then 
this could be included as a part of your 
report. If you don’t much like the idea of 
drawing diagrams in code, then trusty 
old dia is probably going to be a better 
choice for this kind of task. 
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dagrameing. each of whech I found to require different specialised tools greatly depending upos the 
nature of tee task. Winy didi need so many fools? A modern compatiag degree is Hoely to comprise 
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(deveVeckose) for ava dewelogenent for it's code completion features and one of my lecturers (wko 
even fan OpneS0 on his laptop) swore by Medi (editors/nedit] Ultimately teat editors ane vastly | 
down bo pertonal choine, 201 coubdet say any editor is “the best". My advice here is to go and play =] 
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Figure 3. TeXworks (print/texworks). 
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Often you will be required to carry 
out experiments which require the 
results of which to be plotted on a 
graph for the purposes of observing 
trends. A quick graph is very easily 
generated using OpenOffice calc, and 
is usually the way | would choose to 
draw a small graph. Having said that 
sometimes it is not convenient to work 
in this way. | once found myself with a 
large amount of data, which had been 
collected automatically by a Java pro- 
gram. Inputting this vast chunk of data 
would have been rather soul destroying 
and in such a situation you may wish 
to look into a solution using gnuplot 
(math/gnuplot). With a little research | 
managed to quickly adapt my program 
to generate gnuplot source code, which 
| could compile and include in my 
LOTeX documents. 


Conclusion 
All in all, a BSD desktop is perfectly 
acceptable as a study workhorse. If 
you did want to go down this path, | 
would recommend using a stable re- 
lease and not a developer snapshot, 
as things can get awkward at times 
when really, you just want to finish that 
darned assignment (I learnt that the 
hard way). 

| think that any form of open-source 
software offers a large learning oppor- 
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About four years ago | found onyself herring 
the industry and santing an academic degree 
in Computing [Mot to be confused with com- 
puter edence). | knew char UNDNlike oper: 
ating syttems had proven themselves in the 
‘sented rood, but bow abot in the lecture the 
acre? At the time that | started studying, I 
had already been using OpenBSD for a cou- 
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was going to be femible as an everyday shady 
aid. in this Informal and mes-technical arti 
cle | hope to share my findings and highlight 
some fools 1 found useful for my degree. 
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tunity to students. The code for such 
software is freely available for study 
and citation. | benefited from this with 
my dissertation, which was in the field 
of compiler design. | frequently found my 
self referring the reader to various open 
source language parser grammars and 
virtual machine implementations, which 
otherwise would not have been avdil- 
able. 

Ultimately you probably will get bitten 
by the Windows world at some point. A 
large number of commercial specialist 
tools do not run on BSD and there are no 
good open source altermatives. In these 
cases you just have to find a windows 
box and deal with it. Looking back, | think 
| only found myself in this situation a 
couple of times and you can always dual 
boot BSD and Windows if you wish. 

If your University has UNIX labs, you 
may find some of the aforementioned 
tools there readily available to you. We 
were lucky enough to have access to a 
lab of Sun thin clients, running Solaris 10 
and the N1 grid engine. We spent a lot of 
time in this lab, exploring, tinkering and 
generally expanding our UNIX knowl- 
edge. We even started a Bournemouth 
Uni UNIX user group which met on a 
monthly basis to hold talks and dem- 
onstrations on the subject of BSD, UNIX, 
Linux etc. Resources like these are a 
great way to learn and meet like minded- 
students (and staff), so you may wish to 
see if your Uni has one. 

That about covers my key findings 
in my accademic life so far. Of course 
| could have gone into far more detail 
with many of these topics, but that would 
be out of the scope of this article. | hope 
you enjoyed the read, even if it was quite 
informal. 
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Chatterbox 








Eric Vintimilla 


Day in and day out, your FreeBSD sits there quietly, processing its workload. It never 
complains or asks for any favors, but what would it say if it could talk? 


you want it to. With Festival, your FreeBSD box can be 


Ty he answer to that question is easy. It will say whatever 
more talkative than your last date! 


What is festival? 


Festival is a system that gives users text to speech capabilities 
through the shell level, a Scheme command interpreter, a C++ 
library, Java, or an Emacs interface. It offers various voices, 
including different languages and accents, such as English 
(British and American) and Spanish. Furthermore, more voices 
have be created by Carnegie Mellon’s FestVox project (http: 
//festvox.org) and it is relatively straightforward to create your 
own voice library. Festival has two main modes: command 


mode, where it can read input from files or interactively, and tts 
(text-to-speech), where text input is rendered as speech. 


Installing and setting up festival 
Installing Festival is quick and easy to do. Find its directory in 
your ports tree, and install it with portinstall. 


evvm# cd /usr/ports/audio/festival 


evvm# portinstall -P festival 


A few dependencies will be installed, but the process should 
not take that long. Now, enter Festival’s command line and run 
a test (see Listing 1). 





Listing 1. The Festival Command Interpreter 


evvm# festival 
WARNING 
ING Ccleitawulic woOrGe iOwiAEC! Slim 


either no voices unpacked or voice-path is wrong 


WARNING 

Festival Speech Synthesis System 1.96:beta July 2004 
Copyright (C) University of Edinburgh, 
Borsdetat lea type. (hese iva aweleraney) 
festival> 

festival> (SayText "FreeBSD Rocks") 
-=-=-=-=-=- EST Error -=-=-=-=-=- 
(END, SeeSarine loken Merhogenorwdelmed 





He Sicswal lL 


evvm# “D 





(“usr local/ share/ testi val, laib/vouces/ ™) 


Scheme interpreter will work, but there is no voice to speak with. 


1996-2004. All rights reserved. 
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It looks like there are no voice data- 
bases on our FreeBSD box, so we will 
have to find some, but where? Luckily, 
Carnegie Mellon’s Festvox voices can al- 
so be found in the ports tree (Listing 2). 

There should now be d usi_mbrola 
directory under 
festival/lib/voices/english/. Now we 
can test Festival! 

You should have heard your FreeBSD 
box claiming its awesomeness. 


/usr/local/share/ 


What should your 

freebsd box say? 

Now, you can have your FreeBSD 
machine say whatever you want, but 
using Festival’s command line interface 
may not be ideal. Luckily, Festival can 
receive input from the shell using its -- 
tts Switch. It can be used to read files or 


to speak the output of other processes. 
For example, to read an input file, you 
would use the following command: 
evvm# festival --tts inputfile.txt 
To make Festival speak process output, 
you can just use a pipe: 
evvm# date | festival --tts 
You can go one step further, to make the 
text-to-speech process even easier. We 


can create a shell script to allow us to 
pass in any text to Festival. 


evvm# touch speak 
evvm# chmod u+x speak 
evvm# nano speak 


#!/usr/local/bin/bash 





Listing 2. Voice Packs for Festival 


evvm# ls /usr/ports/audio/ | 
Festvox—abec 
festvox-aec 
festvox-czech 
festvox-don 
festvox-elll 
ESesStvox=hvs 
festvox-jph 
festvox-kalle6 
festvox-kal8 
festvox-ked16 
festvox-ked8 
festvox-lp 
festvox-mwm 
festvox-ogirab 
festvox-pc 
ESSiEvOx=rab lo 
festvox-rab8 
Festvox=tll 
festvox-usl-mbrola 
Lestvox-us2—-mbro la 


festvox-us3-mbrola 


grep festvox 


evvm# cd /usr/ports/audio/festvox-usl-mbrola/ 


evvm# portinstali -P 


Listing 3. Testing Festival 


evvm# festival 


Festival Speech Synthesis System 1.96:beta July 2004 


Copyright. (C} 
Pome details tyoe (festival werraney) 
festival> (SayText "FreeBSD Rocks!") 
#<Utterance 0x28925c40> 


Re Sie alngellee> 


Jniversacry Of Edinburgh, 


1996-2004. All rights reserved. 
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fest=S (/usr/bin/which festival) 
/bin/fecho $1 | Sfest -tts 
Now, you can use this script to make 
FreeBSD say whatever you want: 

evvm# ./speak “Hello!” 
evvm# ./speak “S (date)” 
While having a text-to-speech system 
may not be as useful as setting up jails 
or a wireless access point, it can still 
be used to make your machine more 
interesting. First, you can set up your 
computer to greet you every time you 
log in. If you use bash, just edit your ~/ 
.bash_ profile file, and add the following 
to the end of it: 


sh ~/scripts/speak "Hello 


S (whoami) !" 


Now, every time you log in, your computer 
will greet you, using your username. You 
can also have Festival read your mail. 


evvm# ~/scripts/ speak "S(cat /var/ 


mail/S (whoami))" 


You can also have your FreeBSD speak 
reminders to you. 


“ 


~/scripts/speak ‘You 


at 15:00 


evvm# echo 


need to buy milk’” | 


Your FreeBSD box can read logs or 
other documents to you. You can even 
be mischievous and play tricks on 
roommates. When you are not home, 
SSH into your system, and try something 
like: 


evvm# ~/scripts/speak “I’m watching 


W 


you. 


Summary 

Using Festival on your FreeBSD machine 
can be both useful and fun. You can save 
yourself reading time and multitask while 
you listen to text. There are so many things 
your system can read to you, including 
logs, emails, alerts, and reminders. The 
possibilities are practically endless. 
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Encrypting 





the FreeBSD root file system 





Jacques Manukyan 


Systems are only as secure as you make them. Thankfully, FreeBSD offers an 
excellent range of tools and mechanisms to insure that all your security needs are 


met. 


Oo matter how much time you spend securing 
your operating system, if your workstation or 


server is physically stolen, you can assure that - 


your sensitive data will be accessed by someone 
other than you. One way to thwart this type of attack is to 
encrypt your root and other file systems. One tool you can 
use in FreeBSD to encrypt your file systems, and specifically, 
to encrypt your root file system, is to use the cryptographic 
class called geli. 
Keep in mind that security doesn’t end simply because you 
encrypted your file systems. When your server or workstation is 


up and running, your root and other file systems are mounted - 
and decrypted. This provides the potential for your sensitive - 
data and information to be stolen if your workstation or server - 


is connected to a network since an attacker could still breach 
your operating system and view or copy your data. It is up to 
you, the system administrator, to diligently continue to protect 
your operating system even after encrypting your root and 
other file systems. 


Geli, a different kind of disk encryption 
Starting with FreeBSD 6.0, a new cryptographic GEOM 
class was made available called GELI. GELI differs greatly 
from GDBE, the traditional disk encryption system written for 
FreeBSD and it was initially introduced in FreeBSD version 
3.0; 

The most important features of geli are as follows: 


Utilizes the crypto(9) framework, so when there is crypto 
hardware available, geli will make use of it automatically. 

Supports multiple cryptographic algorithms. As of Free- 
BSD 72, geli supports AES, Blowfish, Camellia, and 3DES. 
Can optionally perform data authentication and integrity 
verification utilizing one of the following algorithms: HMAC/ 


MD5, HMAC/SHA1, HMAC/RIPEMD160, HMAC/SHA256, 
HMAC/SHA384 or HMAC/SHAD12. 

It is fast — geli performs simple sector-to-sector encryp- 
tion. 


Considerations and Preparatory Work 
Before encryption your root file system, you must first deter- 
mine the authentication mechanism which decrypts the geli 
encrypted file system. 

Geli currently supports the following mechanisms: 


Passphrase 
Keyfile 
Keyfile plus passphrase 


The passphrase mechanism is by far the simplest to utilize 
and setup. All you need to get a geli encrypted root file system 
utilizing a passphrase is a DVD drive and a DVD media of the 
FreeBSD operating system. 


To keyfile or not to keyfile 

If you are going to utilize just a keyfile without a passphrase, 
you must first consider a few things. The keyfile must be kept 
secure from the world as anyone who can get their hands on 
the keyfile can decrypt your file systems. 

If you decide to save the keyfile locally on the boot drive 
that you are encrypting, then anytime the server is rebooted, 
it automatically decrypts the root file system. This basically 
defeats the purpose of encryption simply because if anyone 
can decrypt the drive, then it is just as vulnerable as a non 
encrypted drive. 

If you decide to utilize a keyfile, you must move the keyfile 
to a removable media and keep it secure. For example, you 
would put the keyfile on a bootable CD or DVD media or a 
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bootable USB device. You would then Before creating the two slices, we usually use a 300 MB slice size for the 
boot up the system off of the DVD or need to determine how much space boot slice. | then dedicate the rest of the 
CD Media, or USB device. The DVD, CD, we want to utilize for the boot slice. | space for the second, operating system, 
or USB device will load the kernel, and 
then it will decrypt and mount the root 


: . Disk name: FOISK Partition Editor 
file system. Without the DVD, CD, or USB itp GE Soe a ae. sectors = 83875365 sectors (48954HB) 


device, you would not be able to boot up 
your root file system. 

To reiterate, here are the basic re- 
quirements for setting up a geli encrypt- 


Offset | End ata ne Ren Desc Subtype Flags 


ed i? unused A 


HARMING: This should only be used when modifying an EXISTING 
installation. If you are installing FreeBSD for the first time 


lizi then you should simply type Q when you're finished here and your 
Be er Me eye aeling ie different changes will be committed in one batch automatically at the end of 
decryption mechanisms: these questions. If you're adding a disk, you should NOT write 


from this screen, you should do it from the label editor. 


Are you absolutely sure you want to do this non? 








oe No 
DVD drive ue 
DVD media of the FreeBSD operat- 
ing system Use Fl or ? to get more help, arrow keys to select. 





fdisk 1 


Writable CD or DVD drive with 
a Blank CDR or DVDR medio [iain 


DISK Geometry: eyo cUls-"255 heads/’63 sectors = 836/75 365 sectors (48954MB) 
(method 1) 
USB port with a USB thumb drive fse Size (ST) aire ane PType Desc Subtype Flags 
(method 2) 63 ba Z Thi eas] | 
i eae lane Bees debe i freehs 1M is 
A working computer with FreeBSD eo ara ie ea tn be ae es ed: | i freebsd tbs 
: aL ba Lib 16715 aMtati lis Mes : unused 5 
installed 
Hrote FDISK partition information out successfully. 
(188%) 
The followin 
set Urive beometry » = Ereate slice 7 DD" mode 
; : lelete slice A Toggle size Units A Set Bootable A OR te e 
To start the installation Drocess, you i Change Type | Undo All Changes 


must boot up your server with the 
FreeBSD operating system DVD Media. LE ee ee ee 
For the below examples, | am utilizing 
the FreeBSD 72 DVD image found fdisk 
on the FreeBSD Project website (hit: 
//\wwwreebsd.org/). I'm also utilizing 
only one 40 GB SCSI hard disk in ayy When you re finished with this shell, please type exit. 
workstation. : The fixit media is mounted as /mnt2. 

Once the FreeBSD DVD media ‘ . 

, You might want to symlink /mntZetc/*=pnd.db and /mnt7etc/group 

starts the installer, select the Fixit Op- to “etc after mounting a root filesystem from your disk. 
tion from the menu. Then select option tar(1) will not restore all permissions correctly otherwiset 
number 2 to use the live file system Note: you can use the arrow keys to browse through the 
from the DVD media. This will drop you command history of this shell. 
into a shell. roca ee ie nae ie eee 

We want to create two slices on Our [Ree 
primary hard disk. The boot directory, 
where the programs and configuration Fixit# In -s /7dist/boot/kernel /boot/modules 
files used during the operating system [pena me Sheth t meres meee me 
bootsrap are located cannot be on an ia l xi t# as) | l l it i { V b | 256 os aS his) /dev/daiis? 

. Enter new passphrase: 

encrypted file system. Reenter new passphrase: 

aBalcwe <claalcleeliiimmlelelemmicelaammlaicWmilaccsiae Calculating number of iterations... 

: , En ste Done, using 1869311 iterations. 

SIce and In turn, geli will load as ioe Metadata value stored on /dev/da@s2. 
Geli will then decrypt the second slice [iftnres 
and boot up the root and other file [RRamaa— 
systems located on the partitions on 
slice two. Geliinit 





a) ae) ae) ed ee ee ee le le 


Fixit# In s /dist/7lib Zlib 
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Slice. The boot slice of 300 MB is large 
enough to accommodate my kernel and 
additional items. At a bare minimum 
however, | recommend at least a 150 MB 
slice. Please be aware that if you do not 
give yourself enough room on your boot 
slice, you may run into disk constraint 
problems in the future when upgrading 
your server. 

At the command prompt, you would 
use the fdisk utility to create your two 
slices. Please refer to the fdisk(8) man 
page for more information on utilizing 
fdisk. 

lf you are unfamiliar with the fdisk 
command or utility, you can use the 
guided sysinstall utility to create your 
two slices. To do this, type exit at the 
command prompt to go back to the 
sysinstall menu. Next, go back to the 
sysinstall main menu. From there, select 
configure. Now scroll down and select 
the Fdisk option. This will bring you to the 
FDISK Partition Editor. 

Now lets create our two slices 
using the FDISK Partition Editor. Hit c 


Listing 1. Partitioning scheme 


% Jodev/da0s2. eli: 


Se parr Leone: 


# size offset fstype 
2G = 4.2BSD 
lon 2G ee swap 
ee: 2O40s iil 0 unused 
edit 
as 4G = 4.2BSD 
e: 2G 4.2BSD 
es x as 4.2BSD 





for Create Slice and specify a value of 
300M. Set the type to 165, which is the 
default, to create a native FreeBSD slice. 
Now hit c again to create the second 
slice. Select the default value given for 
the size which should already be set 
to the maximum available space on 
the drive left. Then set the type to 165 
again. Now hit w to write the changes 
to the disk. You will then be asked if you 
want to install a boot manager. Install 
the FreeBSD Boot Manager and then 
hit ok. FDISK should have completed 
successfully now (Figure 2). Hit o to exit 
the FISK Partition Editor. 

Now that we have created the two 
slices, go back to the sysinstall main 
menu and go back to the Fixit shell. 

Once at the Fixit shell, we want to first 
setup our editor To do this, issue the fol- 
lowing command: 


# export EDITOR=/dist/usr/bin/vi 


Now that our default editor is setup, we 
want to create two symlinks so that we 





[fsize bsize bps/cpg] 


0 0 
0 0 % “row! Dare, «dont 
0 0 
0 0 
0 0 





Fixit# cd 
| 


rs as ae a a | Pd eal vs Bod 
_“install.sh 
about to extract the 


to do this 


You are hase 


eral Set { UVET WOT 


Figure 4. Installbase 


Enter passphrase for daés2: 
GEOM_ELI: 
AES-CBC 
software 
provider 
provider 
provider 
provider 
provider 


Encryption: 256 

att hase 
Label for 
Label for 
Label for 
Label for 


Label for 


GEUM_LABEL: 
GEOM_LABEL: 
GEOM_LABEL: 
Malt Oil muna eel k asl en 


Figure 5. Bootup 


distribution into 
installed 


Device da@s2.eli created. 


daUsia 
dafis?.elia is 
daWs2.elid is 
da@s2.elie is 
daWs2.elif is 
from ufs:/7dev/datis?.elia 


“rnt“new 


gee ed ee ea | 





is ufsid/“4a841d2a1153bedf. 

ufsid/4a841d2?f6b3dabl1?. 
ufsid/4a841d4cd619d77e. 
ufsid/4a841d4dai736feS. 
ufsid/“4a84id4e5811el4c. 
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can load the geli kernel module. Issue 
the following commands at the com- 
mand prompt: 


# Im -—s /dist/lib /lib 
# In -s /dist/boot/kernel /boot/ 


modules 


Now we can load the geli module. Issue 
the following command to load the geli 
module: 


# kldload geom eli 


Now that geli is loaded, let us encrypt our 
second slice. My second slice is called 
dads2 SO | will issue the following com- 
mand: 


# geli init -v -b -e aes -l 256 -s 
4096 /dev/da0s2 


The -b option specifies that | want geli 
to ask for the passphrase on boot. 
The -e and -1 options specify the 
encryption algorithm and key length. In 
this example, | want to use AES 256. 
The -s option specifies the sector size. 
| chose a large sector size to increase 
performance. Please refer to the geli(8) 
man page for detailed configuration 
information. 

When issuing the 
command, you will be asked to specify a 
passphrase twice (Figure 3). 

Now that our slice is encrypted, 
we need to attach our slice so that we 
can start using it. Issue the following 
command to attach the slice: 


geli ara 


# geli attach /dev/da0s2 


You will be asked for your passphrase 
before the slice is attached. Once the 
Slice is attached or decrypted, it will be 
made available to the operating system 
via a new device. In this case, our new 
device is called /dev/da0s2.eli. 

We now create a single partition on 
our first or boot slice. Issue the following 
command: 


# bsdlabel -w /dev/da0sl 


This will create a device called /dev/ 
daOsla. 

We need to now create our partitions 
on the second slice. Issue the following 
commands: 


# bsdlabel -w /dev/da0s2.eli 
# bsdlabel -e /dev/da0s2.eli 


You must now decide how you want to 
partition your operating system. For this 
example, I’m going to use the following 
scheme (see Listing 1). 

In this example, I'm going to use partition 
a aS my root / file system and I’m allocating 
2 GB of space for it. Partition » is my swap 
and I'm allocating 2 GB to it. Partition a will 
be my /var directory and I'm allocating 4 
GB to it. Partition e will be my /tmp directory 
and I'm allocating 2 GB to it And finally, 
partition £ will be my /usr directory and I'm 
allocating all available space to it. 


Note 

l'm leaving the offset values at * which 
will make bsdlabel handle the values 
automatically. 

Now save and exit the bsdlabel screen. 
We can now create our file systems using 
the newfs command. Issue the following 
commands (see Listing 2). 

As you noticed, | issued the -o 2 op- 
tion to newfs. This creates a UFS 2 file 
system rather than a UFS 1 file system. 
Please refer to the newfs(8) man page for 
more options. 

Now that we created our new file 
systems, we want to mount them. To 
do this, we must first create our mount 
points. Issue the following commands at 
the command prompt: 


+ mkdir /mnt/ boot 


# mkdir /mnt/new 


We can now mount our file systems by 
issuing the following commands: 


# mount /dev/da0Osla /mnt/boot 


# mount /dev/da0s2.elia /mnt/new 


Now that our root file system is mounted 
tO /mnt/new, We need to create the direc- 
tory structure to mount our other file sys- 
tems. Issue the following commands: 


# mkdir /mnt/new/var 
# mkdir /mnt/new/tmp 


# mkdir /mnt/new/usr 


Now we can go ahead and mount our 
other file systems that we created: 


# mount /dev/da0s2.elid /mnt/new/var 


# mount /dev/da0s2.elif /mnt/new/usr 


Encrypting the FreeBSD root file system 


Note that | am not mounting the / 
dev/da0s2.elie device or Our /tmp file 
system. The reason behind this is that 
during the operating system installa- 
tion that we are going to be doing, no 
information is going to be written to that 
file system. 

Now that our file systems are 
mounted, we can go ahead and install 
the operating system. Before we proceed 
with the installation, we need to specify 
the location we are going to install the 
operating system files into. To do this, 
issue the following command: 


# export DESTDIR=/mnt/new 


We can no install the operating system. 
Issue the following commands to start 
the installation process: 


# cd /dist/7.2-RELEASE/base 
# ./install.sh 


You will be asked to confirm that you want 
to install the base into /mnt/new. Just type 
y and hit enter (Figure 4). This step will 
take a few minutes depending on the 
speed of your DVD drive and hard drive. 

If you are using a different version of 
FreeBSD, replace 72-RELEASE with the 
name corresponding with the version 
you are installing. 

The base operating system will 
now install onto our encrypted slice 
and partitions; which are mounted and 
decrypted. 


Listing 2. File system creation 


2 /dev/da0sla 

2 /dev/da0s2.elia 
2 /dev/da0s2.elid 
2 /dev/da0s2.elie 
2 /dev/da0s2.elif 


Listing 3. Sample fstab entries 


# Device Mountpoint 


Pass# 


/dev/da0s2. 
/dev/da0s2. 
/dev/da0s2. 
/dev/da0s2. 
/dev/da0s2. 
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If you optionally want to install the 
man pages, you can issue the following 
commands: 


# cd /dist/7.2-RELEASE/manpages 
# ./install.sh 


Likewise, if you want to optionally install 
the FreeBSD docs, you can issue the fol- 
lowing commands: 


# cd /dist/7.2-RELEASE/doc 
% «/instali.sh 


Now that our base operating system is 
installed, we want to install our kernel. 
Issue the following commands to install 
the kernel: 


# cd /dist/7.2-RELEASE/kernels 


# ./install.sh generic 


The kernel will install itself into the /mnt/ 
new/boot/GENERIC directory. We now want 
to move the kernel to its proper location. 
Issue the following commands at the 
command prompt: 


# rmdir /mnt/new/boot/kernel 
# mv /mnt/new/boot/GENERIC /mnt/new/ 
boot/kernel 


We now want to make sure that geli 
loads during the boot-up process so 
that it can decrypt our encrypted root 
file system. To do this, issue the following 
command: 
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# echo geom_ eli load=\"YES\" > /mnt/ 


new/boot/loader. conf 


Geli and kbdmux, the keyboard multi- 
plexer driver, seem to have problems 
working together. For geli to work prop- 
erly, we need to disable the kodmux 
driver We can do this by issuing the 
following command at the command 
prompt: 


# echo hint.kbdmux.0.disabled=\"1\" 


>> /mnt/new/boot/device.hints 


Now that we have our boot directory 
setup on the /mnt/new file system, we 
want to copy it over to our boot slice. 

We want to make sure that we 
preserve all file permissions, | file 
modes, user IDs, and group IDs. To do 
this, issue the cp command with the » 
option and the er option, for recursion, 
as follows: 


# cp -Rp /mnt/new/boot /mnt/boot/ 

We now want to create a proper fstab so 
that our file system is mounted properly 
on boot-up. Issue the following command 


at the command prompt: 


# vi /mnt/new/etc/fistab 





Based on the partitions | created, | would 
create the following entries within the 
fstab file (see Listing 3). 

You can specify additional options 
or make changes to the above entries 
based on your needs. Please reference 
the fstab(5) man page for more informa- 
tion. 

Now that we created an fstab, we 
want to copy it over to the boot slice. To 
do this, issue the following commands: 


# mkdir /mnt/boot/etc 
# cp /mnt/new/etc/fstab /mnt/boot/ 
etc/fstab 


We are now finished with setting up our 
system. We can unmount our file sys- 
tems and then reboot our server. Issue 
the following commands: 

umount /mnt/boot 
/mnt/new/var 


umount 


umount /mnt/new/usr 


a 


umount /mnt/new 


You can now power cycle your server. 
Make sure you remove the FreeBSD 
installation media. When the server 
reboots, you will be presented with a 
prompt asking you to specify your pass- 
phrase. 





Listing 4. Partitioning scheme 
# /dev/dal.eli: 
oS Pertilelmonss 
e size offset fstype [fsize bsize bps/cpg] 
2G - 4.2BSD 0 0 

io 2G s swap 

es) 10465759 0 unused 0 0 e "Taw" part, Con's 
edit 

d AG = 4.2BSD 0 0 

= 2G - 4.2BSD 0 0 

fe: s - 4.2BSD 0 0 
Listing 5. Sample fstab entries 
# Device MOUNT DOING FStype Options Dump 
Pass# 
/dev/da0.elib none swap Sw 0 0 
/dev/da0.elia i Uses rw 1 1 
/dev/da0.elid /var ufs rw yp Z 
/dev/da0.elie /tmp ufs rw 2 2, 
/dev/da0.elif (ie ies rw 2 2 
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Once you specify the proper 
passphrase, geli will decrypt and mount 
the file systems (Figure 5). You can 
now login as root. Note that there is 
no password for root yet. Your server 
or workstation is not configured. You 
would need to configure your server 
or workstation and create a proper 


re.cont. 


Upgrades, Updates, and Patching 

One thing to consider when running this 
kind of setup is that your boot slice will 
need to be updated in parallel to your 
root slice. If you decide to compile a 
new kernel, you want to make sure that 
you enable geli within your new kernel. 
To do this, just specify the following 
options within your kernel configuration 
file: 


options GEOM ELI 


device crypto 


For additional information on compiling 
a new kernel, reference chapter 8 of the 
FreeBSD handbook. 

Once you compile a new kernel and 
you install it, you will need to make sure 
you copy it over to your boot slice. You 
can always mount your boot slice and 
copy over the new updates. For example, 
you could do something like this: 


mkdir /mnt/boot 

mount /dev/da0sla /mnt/boot 
rm -R /mnt/boot/boot 

cp -Rp /boot /mnt/boot/ 


$0 EOE HEE 


umount /mnt/boot 


If you ever run into an issue where you 
accidently damaged your boot partition 
and you cant boot up your operating 
system, you can always boot off of the 
DVD FreeBSD operating system media. 
You can then go to the Fixit shell, load 
geli, and then mount your encrypted file 
systems along with your boot partition. 
You can then repair whatever damage 
you may have caused. If all else fails, 
you can always install the default kernel 
that is found on the FreeBSD operating 
system DVD media. 


Using a boot CD/DVD or USB 
drive to load an encrypted 
FreeBSD root file system 

In this section of the article, we’re going 
to create a boot CD or DVD to boot 


up and decrypt our encrypted root file 
system. We are going to use a keyfile 
and password to decrypt our root file 
system. 

If you dont want to use a boot CD 
or DVD, you can always use a bootable 
USB thumb drive. 

Using a boot CD or DVD, or booting 
off of a USB drive to decrypt and mount 
a FreeBSD root file system requires that 
you already have a FreeBSD server up 
and running. You will also need a spare 
hard drive that you will be encrypting and 
installing the FreeBSD operating system 
onto. 

In this article, | am running a worksta- 
tion with FreeBSD 72 already installed. | 
have two SCSI hard drives. They are as 
follows: 


Drive dao — contains my FreeBSD 72 
installation. 

Drive dai — empty disk which will 
contain my new encrypted root file 
system. 


To start, boot up into a shell prompt on 
your workstation. Make sure you have 
the geli kernel module compiled into 
your kernel. If you don’t, you will need to 
recompile your kernel with geli Support. 
Please reference chapter 8 of the 
FreeBSD handbook for information on 
how to recompile your kernel. 

We need to load the geli module 
so issue the following command at the 
command prompt: 


# kldload geom eli 


Now that geli is loaded, we need to first 
create a directory where we will store 
our keyfile temporarily. For this example, 
l'm going to store my keyfile in the / 
root/boot/key directory. | then want to 
create a keyfile that is 256k in size. 


# mkdir -p /root/boot/key 
# Odd if=/dev/random of=/root/boot/ 


key/master.key bs=256k count=1 


| created a keyfile with random binary 
data located in the /root/boot/key direc- 
tory called master. key. 

Next | want to create my encrypted 
disk. | want to use a keyfile along with 
a password. This gives me additional 
protection in case someone gets a hold 
of my keyfile. 
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# geli init -v -b -e aes -l 256 -s 
4096 -K /root/boot/key/master.key 
/dev/dal 


As you can see, | added the -x« option to 
the geli init command. This specifies that 
| want to use a keyfile. 

Now that our disk is encrypted, we 
need to attach our disk so that we can 
start using it. Issue the following com- 
mand to attach the disk: 


# geli attach -k /root/boot/key/ 
master.key /dev/dal 


Note that we specified the -« option, in 
lower case, with the path to our keyfile. 
You will be asked for your passphrase 
before the disk is attached. Once the disk 
is attached or decrypted, it will be made 
available to the operating system via a 
new device. In this case, our new device 
is called /dev/dal.eli. 

We need to now create our partitions 
on the attached drive. Issue the following 
commands: 


# bsdlabel -w /dev/dal.eli 
# bsdlabel -e /dev/dal.eli 


You must now decide how you want to 
partition your operating system. For this 
example, I’m going to use the following 
scheme (see Listing 4). 

In this example, I’m going to use 
partition a as my root / file system 
and I'm allocating 2 GB of space 
for it. Partition > is my swap and I’m 
allocating 2 GB to it. Partition a will be 
my /var directory and I’m allocating 
4 GB to it. Partition e will be my /tmp 
directory and |’m allocating 2 GB to 
it. And finally, partition + will be my 
/usr directory and I’m allocating all 
available space to it. Note that I’m 


Enter passphrase for dal: 
GEOM ELI: Device daH.eli created. 
GEOM_ELT: Encryption: AES-CBC 256 
GEOM ELI: Crypto: software 
GEOM_LABEL: Label for provider 
GEUM_LABEL: Label for provider 
Label for provider 
Label for provider 
Label for provider 


GEOM_LABEL: 
GEOM_LABEL: 
GEOM_LABEL: 
Trying to mount root from ufs:/dev-dal.elia 
Loading configuration files. 


kernel dumps on “dev-dall.elib 


Figure 6. Bootup 2 
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daH.elia is 
daH.e@lid is 
daH.elie is 
daH.elif is 
daisia 


leaving the offset values at * which 
will make bsdlabel handle the values 
automatically. 

Now save and exit the bsdlabel 
screen. We can now create our file 
systems using the newfs command. I’m 
going to create UFS 2 file systems so | 
issue the following commands: 

.elia 


# newfs -O 2 /dev/dal 


# newfs -O 2 /dev/dal.elid 


# newfs -O 2 /dev/dal.elie 


# newfs -O 2 /dev/dal.elif 

Now that we created our new file sys- 
tems, we want to mount them. To do this, 
we must first create our mount point. Is- 
sue the following command at the com- 


mand prompt: 
# mkdir /mnt/new 


We can now mount our file system by 
issuing the following command: 


# mount /dev/dal.elia /mnt/new 


Now that our root file system is mount- 
ed tO /mnt/new, we need to create the 
directory structure to mount our other 
file systems. Issue the following com- 
mands: 


# mkdir /mnt/new/var 
# mkdir /mnt/new/tmp 


# mkdir /mnt/new/usr 


Now we can go ahead and mount our 
other file systems that we created: 


# mount /dev/dal.elid /mnt/new/var 
#* mount /dev/dal.elift /mnt/new/usr 


Note that | am not mounting the /dev/ 
dal.elie device or Our /tmp file system. 


ufsid/“4ab9G5a735b17H9RHc. 
ufsid“4ab49bSsa435bbeala. 
ufsid“4a8S85a54c69eB874H. 
ufsid/“4a8985ab66c279bdafs. 
is ufsid/“4a84168886b0514c. 
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The reason behind this is that during 
the operating system installation that 
we are going to be doing, no informa- 
tion is going to be written to that file 
system. 

Now that our file systems are mount- 
ed, we can go ahead and install the 
operating system. You are going to need 
to download the full FreeBSD source 
via cSup or cvsup. For information on 
how to download the FreeBSD source, 
please refer to chapter 6 of the FreeBSD 
handbook. 

By default, you should have down- 
loaded the FreeBSD source into the 
/usr/src directory. We’re going to need 
to buildworld first so issue the following 
commands: 


# od /usr/sre 


# make buildworld 


Please note that this will take quite a 
while depending upon the speed of 
your workstation or server. Now that 
you have compiled the source, we want 
to install it on the new encrypted file 
system. Issue the following commands 
to install the compiled source to our 
encrypted disk: 


# make installworld DESTDIR=/mnt/new 


# make distribution DESTDIR=/mnt/new 


Now that we're done installing the 
FreeBSD operating system on the 
new drive, we want to compile a new 
kernel. 

If you want to compile a custom 
kernel, make sure that you have geli 
enabled and that you disabled kbdmux. 
To enable geli, add the following to your 
custom kernel: 


; You are 


finished with this 
Media is mounted as 


: When you're 
;+ The fixit 


‘eomeet lB Bie 4 
mounting 


:+ You might want 
to etc after 


7. ba.eene- bee 


a root 


not restore all 


ae (eh 
ete). Si mi eo esha ee DT 


the 
this 


you can use 
shell. 


Good Luck?t 


Fixits § 


Figure 7. fixit 
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now running from FreeBs 


shell, 
4 linear 


Auli haan a! 
filesystem from your 


arrow keys 


options GEOM ELI 


device crypto 


To disabled kobdmux, make sure you 
omit the following line from your custom 
kernel: 

kbdmux 


device # keyboard 


multiplexer 


For additional information on compiling a 
custom kernel, reference chapter 8 of the 
FreeBSD handbook. 

To compile our kernel, we issue the 
following command: 


# make buildkernel KERNCONF=GENERIC 


In this example, I'm going to use the ge- 
neric kernel. After your kernel compiles, 
install it onto your new drive by issuing 
the following command: 


# make installkernel KERNCONF=GENERIC 


DESTDIR=/mnt/new 


We now want to make sure that geli 
loads during the boot-up process so 
that it can decrypt our encrypted root 
file system. 

To do this, we want to edit the 
loader.conf file. Issue the following 


commana: 
# vi /mnt/new/boot/loader.conf 


We now want to create the proper entries 
in the loader.conf So that it loads geli 
and the keyfile. Do this by putting the 
following in the loader.contf: 


geom eli load="YES" 
geli_daO keyfileOQ load="YES" 


Media. 


please type exit. 


od ORG ee Sea ea ore Pele 


ies 


permissions correctly otherwiset 


to browse through the 
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geli_daO keyfileO type="da0:geli_ 
keyfileO" 
geli daO keyfileO name="/key/ 


master.key" 


Keep in mind that while we're setting 
up the loaderconf file, you have to 
reference the hard drive by what it will 
be called when you move it to its final 
destination. For example, I’m going to put 
my second SCSI drive called dai into a 
new workstation. On that workstation, it 
will become the primary drive, or dao. 
Replace dao in the above example 
with whatever the name the drive will 
become. 

Geli and kbdmux, the keyboard 
multiplexer driver seem to have 
problems working together. For geli to 
work properly, we need to disable the 
kodmux driver We can do this by issuing 
the following command at the command 
prompt: 


# echo hint.kbdmux.0.disabled=\"1\" 


>> /mnt/new/boot/device.hints 


This will not be necessary if you disabled 
kodmux inside the kernel. 

Now that we have our boot directory 
setup on the /mnt/new file system, we 
want to copy it over to our temporary 
boot directory which in this case will be / 
root/boot. We want to make sure that we 
preserve all file permissions, file modes, 
user IDs, and group IDs. To do this, issue 
the cp command with the » option and 
the r option, for recursion, as follows: 


# cp -Rp /mnt/new/boot /root/boot/ 


We now want to create a proper fstab so 
that our file system is mounted properly 
on boot-up. Issue the following command 
at the command prompt: 


# vi /mnt/new/etc/fstab 


Based on the partitions | created, | would 
create the following entries within the 
fstab file (see Listing 5). 

Again, keep in mind that | am 
referencing the final location of the 
drive. When | move this drive to my other 
workstation, it will become the primary 
drive and it will be referenced as aao in 
the operating system. 

You can specify additional options 
or make changes to the above entries 


based on your needs. Please reference 
the fstab(5) man page for more 
information. 

Now that we created an fstab, we 
want to copy it over to our temporary 
boot directory. To do this, issue the follow- 
ing commands: 


# mkdir /root/boot/etc 
# cp /mnt/new/etc/fstab /root/boot/ 
etc/fstab 


We are now finished with setting up our 
system. We can now unmount our file 
systems. Issue the following commands: 


# umount /mnt/new/var 
# umount /mnt/new/usr 


# umount /mnt/new 


We now want to either create a bootable 
CD or DVD, or use a bootable USB thumb 
drive to boot up our new system. To use 
a bootable CD or DVD, install CDRTools 
from the ports directory 
cdrtools). This will install mkisofs which 
we will use to create our bootable CD 
or DVD. 

Issue the following command at the 
command prompt to create our bootable 
CD or DVD: 


(sysutils/ 


# mkisofs -R -no-emul-boot -b boot/ 


cdboot -o /root/boot:.iso /root/boot 


The above command will take the items 
inside your /root/boot directory and 
create a proper CD or ISO image. You 
can now burn the ISO image to a CD 
or DVD using your favorite CD or DVD 
burning software. 

You can now shutdown — your 
workstation and move the new drive to 
the new workstation or server. You will 
need to use your bootable CD or DVD to 
start up your workstation. During the boot 
up process, you will be asked for your 
passphrase. The keyfile will automatically 
be loaded (Figure 6). You will not be 
able to boot up your operating system 
unless you use your bootable CD or DVD 
media. 

Keep in mind that you have a copy 
of your keyfile within the root directory 
located at /root/boot/key/master.key. 
| recommend you delete this file and 
the ISO image you created for security 
purposes. Your ISO image also contains 
your masterkey file within it. You should 


also consider creating a second, backup, 
copy of the DVD or CD in case the first 
one gets damaged. 

If you decide to use a bootable USB 
thumb drive instead of a bootable DVD 
or CD, you need to make sure that your 
computers BIOS supports booting off 
of USB devices. To setup a bootable 
USB thumb drive, you would partition 
and format the USB thumb drive using 
fdisk and bsdlabel. You would issue 
the -s option to both so that it creates 
a bootable partition. You would then 
mount and copy over the /root/boot 
directory. 


Upgrades, Updates, and Patching 
One thing to consider when running 
this kind of setup is that if you lose your 
bootable CD or DVD, you will lose your 
whole drive. Therefore, | recommend you 
create a backup bootable CD or DVD 
and keep it in a safe, secure place. 
Keep in mind that if you need to 
recompile your kernel, you will need to 
create a new boot CD or DVD. When 
you compile a new kernel, copy over the 
new kernel to your /root/boot directory. 
Then copy your keyfile from the CD or 
DVD into the /root/boot/key/master.key 
location. After that, you can create a 
bootable ISO and burn to DVD or CD. 
Remember to delete your masterkey 
and the bootable ISO off of your hard 
drive when you are done burning your 
DVD or CD. If instead of a bootable CD 
or DVD, you are using a bootable USB 
boot drive, you will need to mount your 
USB device and copy over the updated 
kernel. 
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Jan Stedenhouder 


Setting up 


PC-BSD as a server 





PC-BSD is so easy to install and the KDE-desktop easy enough to use that we might 
almost forget it's roots as server operating system. Now, and in the future, the majority 
of desktop users might not consider this piece of information of any value. 


ut in others, the tinkerers, it might trigger the itch to 
try their hand on setting up a BSD or Linux based 
server. FreeNAS (BSD) of ClarkConnect (Linux) are 
tailor-made for such an experiment. 

Personally, | am the proud owner of a Bubballwo home 
server, which -in essence- is a Debian-based appliance with 
an easy-to-understand webinterface to set up the file-, mail-, 
media- and printservers. My question then became: Would 
it be possible to build something similar but with PC-BSD as 
a starting point? The answer, no doubt, is: Sure, why not?. In 
this series of articles we will build up a home server, adding 
new building blocks step-by-step. The starting point is that 
of a desktop user, used as he or she is to a nice graphical 
user interface. The first article deals with installing PC-BSD as 
server, installing Webmin (a webbased tool to manage this 
new server) and making changes to the firewall in order to be 
able to use Webmin. 


Installing PC-BSD as a server 

The option to install PC-BSD as server is already part of the 
graphical installation wizard. Just put the cd or dvd in the drive 
and boot the computer. Following the wizard we need to set 
up the system language and the keyboard layout, agree to 
the license agreement, before we can select Server edition as 
installation option (Figure 1). 

This selection is the only one different from a regular 
installation of the desktop edition. The following steps of 
the wizard are exactly the same, including the possibility 
to install various desktop programs by selecting their PBI’s 
(like Amarok and Firefox). The installer proposes a simple 
setup for the disk partitions, consisting of / and swap only. 
Compare that to the suggestion made by the FreeBSD 
installer, where the option to automatically create partitions 
also provides three additional partitions (/var, /tmp and 


/usr). Experienced users can use the partition editor in PC- 
BSD to setup the partitions according to their own needs 
(Figure 2). 

Kris Moore, the PC-BSD project leader, acknowledged 
that the differences between the two install options 
(desktop and server) are minor at the moment. In fact, all 
files needed to run a graphical user interface are still there, 
the desktop is simply disabled. Changing the settings in / 
etc/ttys would be enough to get a fully functional graphical 
desktop again. Apart from this SSH is enabled and some 
networking is customized. For this article we stuck to the 
proposed disk layout and decided not to install additional 
PBI’s. 

Once the installation is finished, please reboot the system. 
The new PC-BSD server is ready for our purposes. The 
command line awaits us (Figure 3). 


Between the command line 

and the graphical desktop: Webmin 

This would be enough to start adding the various building 
blocks for our home server. We can install all the software we 
need and edit the various configuration files to fine tune the 
various servers. Once our box iS up and running, it isn’t even 
necessary to sit behind the actual system. With a program 
like PuTTY we are able to access the command line from 
another computer in our network (or, when all elements are 
in place, from any computer in the world with an internet 
connection). 

Webmin makes it somewhat easier to manage and 
maintain our new server. It provides a web-based interface and 
should remove the need to manually edit the configuration files. 
This doesn't mean that it negates the need to comprehend the 
various building blocks of our server. But more about that in the 
upcoming articles. 
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For now we simply want to install 
webmin. First, we will install webmin 
using the ports collection. As an 
alternative, we use a PBU to install the 
software. 


Installing webmin via ports 
Beginning with the 7x releases, PC- 
BSD keeps the FreeBSD ports tree 
completely separate from the PC-BSD 
base desktop system. This might not 
sit well with experienced FreeBSD 
users, but makes sense when thinking 
about the goal PC-BSD has in mind 
and its target audience. Keeping the 
two separate allows for us to play with 
the ports without affecting our PC-BSD 
desktop negatively. And changes to the 
PC-BSD desktop won't corrupt the ports 
tree. Feel free to read up on this in the 
PC-BSD Handbook (hitto://wiki,jocbsd.org/ 
index.php/PC-BSD_Users_ Handbook). 

The first step is to become root by 
entering: 


> Su 
and provide your administrator password. 


Then, we need to switch to -what is 
called- the FreeBSD LOCALBASE: 


# runports 
lf all is well, we see the message: 
TOU! x 


Running as You may now run 


‘make’ in the FreeBSD Ports tree 
# 
During installation we opted not to 


install any additional components, which 
included the ports collection. At this point 
we need to get a new ports tree. For that, 
please enter (Figure 4): 


# portsnap fetch 


# portsnap extract 


Once this is finished we can _ install 
webmin by using’ the _ following 
instructions: 


# cd /usr/ports/sysutils/webmin 


# make install clean 


All dependencies will be taken care 
of, but we need to stay behind our 
computer to answer a few questions 
here and there (for instance while 
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Figure 6. When we see this message scrolling by, 
we are certain that webmin is running/ 


installing perl). The default answers 
should suffice. 

Now we need to setup webmin, for 
which we use: 


# /usr/local/lib/webmin/setup.sh 
This scripts asks us a few questions: 


Web server port (default 10000): 


Login name (default admin): 


Login password: 





Password: again: 


Use SSL (y/n): 
The default port for webmin is 10000. We 
can change the login name and should 
provide a password. It is possible to leave 
a blank password, but that’s not advised. 
Another layer of security is added by 
using SSL. Without SSL we would be able 
to access the web interface by using http: 
//server-ip-address: 10000. SSL changes 
that to httos://server-ip-address: 10000. 
(Figure 5) 

With this the installation of webmin is 
finished. To start the program we use: 


# /usr/local/etc/re.d/webmin start 
If this were a regular FreeBSD server, 


we could edit the rc.conf file so webmin 
starts at boot. To do that, please use: 


ere cae 


in the FreeBsl Ports tree 


| mirrors found 


aD.org... 


ebSD.org... done. 
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install webmin 


# ee /etc/rce.cont 


ee is a nice command line text editor 
which is somewhat easier to use than 
vi, not in the least because it offers 
something resembling a menu with the 
various instructions. Add the following 
line: 


webmin enable="YES” 


But this isn’t a regular FreeBSD server, 
this is a PC-BSD server and webmin is 
not installed as part of the PC-BSD base 
system. We need to create (as root) a 
symlink to the /programs/rc.a folder: 


# In -s /usr/local/etc/rc.d/webmin 


/Programs/rc.d/webmin 


This way webmin is started at boot 
(Figure 6). 
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Installing webmin using the PBI 
Another method is to use the PBI 
that is offered at htto://wwwpbidirorg. 
Simply use webmin as search phrase 
and select either the 32-bits or 64-bits 
version. What we need is the exact 
download address for the PBI. We use 
this URL in combination with ‘fetch’ to 
get the PBI to our server. In my case it 
came down to: 


S fetch ftp://www.nl.freebsd.org/ 
pub/pcbsd/PBI/Utilities/Webmin/7/x64/ 
Webminl.480 1-PVO.pbi 


On a graphical desktop it now boils 
down to double-clicking the PBI and 
follow the wizard that appears. On the 
command line we need to change the 
file permissions first: 


S su 


# chmod 777 Webmin1l.480 1-PVO.pbi 
Then we can install webmin by entering: 


# ./Webminl.480 1-PVO.pbi -text - 


accept 


Using the -text option tells the installation 
we are using a text-based interface, while 
the — accept options deals with possible 


Old Webmin there 








Figure 7. When installing webmin via the PBI we need to make it more secure through the webmin options 
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Figure 8. This shows that our installation of webmin was successful.We can login! 
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Webmin is a powerful tool to manage and maintain our new PC-BSD server 


pop-ups. There are some differences with 
the ports-based installation. Using the PBI 
doesn't give us the choice to enable SSL 
(disabled by default), changing the login 
name (admin by default) or providing an 
admin password (blank by default). This 
can be changed when running webmin 
(Figure 7). 


Either way, we now have a_ working 
version of webmin on our server. We 
are, however, still not able to access it 
from another computer in our network. 
As a default most ports to the outside 
world are closed by the firewall, including 
port 10000. Installing webmin doesn't 
automagically open the gate. We need to 
edit the pc.conf file by hand: 


#ee /etc/pf.conf 


and add the line: 


pass in on em0 proto tcp from any to 


(em0) port 10000 keep state 


and save the file. Port 10000 is now open 
to accept requests from all computers 
that have access to our network. Mind 
you, this isn’t the most secure setup, 
but for now it will suffice. Please open a 
browser on another computer and use 
the following url: 


https://server-ip-address:10000 
(or http://server-ip-address:10000, 
when SSL is not (yet) enabled) 


In Firefox you might be asked to add an 
exception for the specific site as the SSL 
certificate isn’t recognized. When all goes 
well we will be greeted by the webmin 
login (Figure 8). 

Figure 9 gives an indication of the 
wide range of functions and options 
that can be dealt with via webmin. In 
the upcoming articles we will add new 
functions to our server, add users and 
groups and see how far we can tweak 
it all in order to provide a stable, easy 
to use, feature rich and secure home 
server. 

PS. I'd like to add a word of thanks to 
Kris Moore who answered my questions 
quick and clear enough for me to write 
this article. 
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How to Build 


a Scalable Search Engine Using the BuildaSearch Web Service 


Aa 





Diego Montalvo 


BuildaSearch was featured in the 4/2009 issue of BSD Magazine. While other articles 
do a fantastic job focusing on core BSD technology, | feel that it is also important to 


cover web services powered by BSD systems. 


S the Intemet and web applications continue to - 
evolve and become both more useful and complex, - 


the operating systems behind these Internet based 
services must also evolve into more efficient and 
powerful systems. 

Being the lead developer of BuildaSearch.com, | am very 
familiar with resource intensive web services and their need for 
powerful operating systems. 

FreeBSD provides the power for one of the most unique 
and advanced BuildaSearch features: a real-time indexer, 
which produces extremely fresh search results in minutes. 

Since my early days developing WAP search technology 
via a FreeBSD back-end, | decided BuildaSearch would run on 
the same operating system. FreeBSD has become a critical 
part of BuildaSearch and its many search services. 

In this tutorial | will be covering web-based indexing technology 
and simple deployment procedures. After reading the following 
article you will be able to: crawl one or more websites in real-time, 
add a scalable search engine to your personal, business or blog 
website. Things you'll need for this tutorial: 
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Bubba is FAST! 


httpo//wwww.buildasearch.com/bubba 


Site Search 
Add Your Websites 


API Access Key 
Secret Key 








Banta Misntaes On nen 


Figure 1. Giving Your Search a Name 
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Figure 2. Adding Websites to be Indexed 
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Figure 3. BAS Crawler Display Screen 
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SimpleXML (enabled) in PHP 
BuildaSearch XML API 


Note: The BuildaSearch API is program- 
ming language independent you can 
use anything from JavaScript to C++ to 
parse the XML API. This tutorial provides 
a PHP5 code sample. 


Step 1. Getting Started 
Registration at BuildaSearch is pretty 
Straight forward. Register and confirm 
your email address in your inbox. 

Once you login and are in the Main 
Menu click on the Name Search link, 
next you will see the Name Your Search 
interface. Begin by typing the name you 
would like to give your search. Note: only 
letters and numbers are supported. 

The search in this tutorial is given 
the name bubba at web address: http:// 
bas.buildasearch.com/bubba (Figure 1). 

Once you are finished typing in your 
search name, click on the Add Your Web- 
sites link. In the smaller screen add the 
websites you would like to crawl. Note: 
You may add up to 15 different websites. 

It is important to add the entire web 

address including its protocol and host. 
correct: "http://www.abcl23.com" 
imcorrecc: “abcl23.com" 
Once you have added your list of websites, 
click close then click on the save changes 
button. Lastly click on Continue Editing then 
home on the top menu (Figure 2). 


Step 2. Crawling the Web 

In the Main Menu click on the BuildaSe- 
arch Advanced Search (BAS) link, once in 
the BAS interface, you will notice that Buil- 
daSearch offers 500 free search pages. 

Note: You may upgrade to more pages 
but for this tutorial 500 pages is suffice. 

Click next and you will be prompted 
with the default 500 pages and with a 
character set drop-down. Note: Most 
sites use either European latin? or Uni- 
code utf8 character sets. 

Next click on continue activation once 
you are ready to begin crawling your web- 
sites, click start crawler. Note: Crawling 
and Indexing search content may take a 
few minutes. As the crawler does its mag- 
ic you will see the list of links change. 

Once all indexing processes are 
completed, you will be prompted with 
two buttons: preview search and done. 


You may test search results by click- 
ing on the preview search and entering 
your own search query into the provided 
search box. Once you are satisfied with 
testing your custom search you may 
proceed to the next step by clicking on 
done (Figure 3). 


Step 3. Using 

the BuildaSearch API 

The BAS XML API works similar to other 
APIs, simply use any programming 
language of your choice to parse and 
manipulate the feed. Your custom search 
API can be viewed at the following url: http: 


Listing 1. Simple XML Response 


BuildaSearch Web Service 


//bas.buildasearch. com/xmi/your_search_ 
name?e=query_string&bastart=-O&basco 
unt= 10. 


Step 4. Embedding and Custom- 
izing Your Search Engine 
The last step to this tutorial is parsing the 
BAS API using your choice of program- 
ming language. | have provided a simple 
PHP5 SimpleXML code sample below. 
Even though this code sample provides 
basic functionality it is a great start for de- 
veloping a more complete search engine 
which could be enhanced with: pagination, 
spell checking, CSS and more. 


<?xml version="1.0" encoding="UTF-8" ?> 


<response> 

<resuilrs> 
<query>market7</query> 
—bastotal=1/il</bastotal- 
—pastart 10</bastart= 
<bacount>1</bacount> 
<basresult> 


<title><! [CDATA[Shoaib Hashmi 


(ShoaibHashmi ) 


Cn Iwleren| |></ticle> 


<longurl><! (CDATA |htip;/ /Ewitter.com/shoaibhashm | |></ longurl> 


<basummary><![CDATA[... 
<b>Market7</b> Goes Big, 


reply to anumvighio RT @ startupmeme : 


Provides Google With ]]></basummary> 


<showurl><! [CDATA[http://twitter.com/ShoaibHashmi] ]></showurl> 


<—/ paste sul 
</ coal lies = 


</response> 


Table 1. 





Customizable Values 


your_search_name 


search name given in step one 


bastart 


starting point of search results (0) default 





total results: 100 for search startup 





with Russia's leading search engine ' Yandex... 


Gor 











Russian Investor to acquire stakes in country’s top Search E e 
... to acquire stakes in country’s top Search Engine Shoaib Hashmi Alisher Usmanov , ... in negotiation 


htipJ/startupmeme.conmvrussian-investor-to-acquire-stakes-in-countrys-... 


le Challenger Blekko Raises $11.5 Million: Still No Launch Date 
... News Jobs Reports Finance Services Search topics News Corp. Microsoft Earnings ... (1) Text Size: A 
A Print Email Share Search startup Blekko —which... 

httppaidcontent org/article/419-google-challenger-blekko-raises-11.... 


Yahoo celebrates dead deal with Microsoft, shakes hands with Go a 
... access to Yahoo to their AdSense for search and AdSense for content advertising. This means that 
the search advertising for Yahoo will now be a ... freedom to... 

http J/startupmeme.com/yahoo-celebrates-dead-deal-with-microsofi-shake... 


WordPress’ ‘Clean Notifications’: Organizes Email Notifications | Startup... 

.. ~ December 13, 2008 Viewzi adds Site Search Saad Ali Abbasi - November 17, 2008 ... - November 
18, 2008 Google makes video search results neater Sardar Monkim... 
http/startupmeme.com/wordpress-clean-notifications-organizes-email-n... 
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aidContent 


le | Startu 








Figure 4. Screenshot of Parsed Search Results 
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Listing 2. PHP5 SimpleXML Code Sample 


<?php 
header ("Content-type: text/html; charset=UTF-8") ; 
HREEEEEERERETEPREREEE TEER EER EH EEE REE 
# BUILDASEARCH BSD MAGAZINE EXAMPLE 
# USING BAS API 
# USING SIMPLEXML V.081909 
HEEEEEREREREPEPRERERE TERETE EER EEE EER 
SSECRET = 'bubba';//YOUR CUSTOM SEARCH NAME 
SOQUERY = urlencode($S GET["e"]); 
SSTART = 0; 
SNUM = 10; 
if (empty (SQUERY) ) { 
echo '<form method="get" action="">'; 
echo '<input type="text" name="e">'; 
echo '<input type="submit" value="Search">'; 
echne, "<7 torm- '; 

} else { 


//BUILDASEARCH API URL 


SAPI = “http: / /das. bul ldasearch.com/xml/*. SSHCRET. *?e="_SQUBRRY: "Gbastart—"  SGTART."ébascount—" -sNUM.""; 


//LOAD EXTERNAL BAS API 

Sxml = simplexml load file(SAPI, 'SimpleXMLElement', LIBXML NOCDATA) ; 
//DISPLAY TOTAL 

Sresult = $xml->xpath('/response/results/bastotal') ; 

while(list( , Snode) = each(Sresult)) { 

echo "total: “,smede, "<br/>"; 

} 

//DISPLAY RECORDS BELOW 

foreach (Sxml->results->basresult as S$record) { 

echo ‘<a hret—"" -Srecord—>longuni.'">’ .srecords title. '</a><br/ >"; 
echo Srecord—--bastmmary.'</br>'; 

echo, srecord—-showurl., '</br- "| 

ecno ohn” 


} 





Resources 


You can test drive the code sample in this tutorial at: htto:/www.buildasearch.com/ 
bsdmag/ 
Obtain the code sample at URL below: http://www. buildasearch.com/bsdmag/source.phps 





Table 2. 


BuildaSearch API Return Values 


query search query 


title title of search results includes bold highlighted text 


basummary text summary includes bold highlighted text 


bastart result set starting point 
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Conclusion 

Adding an advanced search engine to your 
website can be done in minutes instead 
of hours. As BuildaSearch technology 
improves, more and more advanced 
features will be implemented into our 
web service. If you have any questions 
or comments feel free to contact me at 
diego@ earthoid.com. 
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ls NetBSD 


ready for a desktop? 





Petr Topiarz 


In this article | am focusing on the usability of the NetBSD as a desktop. | would like 
to show what NetBSD can do today and whether it is mature enough to challenge PC- 


BSD or Linux. If you want to know, keep reading. 


his article will not explain how to install NetBSD as 

that has been covered by many other articles, but 

how to tweak it and hack it to make it work similarly 

user-friendly and comfortably like a current standard 
Linux distro. 


The idea of a NetBSD desktop 


| wonder if you ever had a NetBSD desktop. | used to run it, 


mainly for fun, three years ago as my secondary desktop. It - 
was a lot of tweaking and tuning, but after patching kernel and_ - 
doing a lot of hacks it was quite nice - even with a splash . 
screen when loading. However, a lot of things | needed were - 
not working reliably. A year ago, or two, the pkgsrc collection - 
(the main source of third party packages) went through - 
major changes and both Gnome and KDE did not compile - 
successfully for months. So | stopped using it. The problems at - 
that time could be clearly attributed to switching X-server from - 
Xfree86 to Xorg, which required changing lots of dependencies - 


and introducing new ones, but they were enough to keep me 
off the NetBSD system for a long time. 

However, few months ago Jared McNeill and Andrew Doran 
announced they were starting the NetBSD Desktop project. 
You can read about it at: http://wikinetbsd.se/Desktop_Project 
Their aim was a fully featured gnome desktop with everything 
that Linux distros such as Ubuntu or Fedora run today regularly, 
Even automountig with hal and all the stuff. What a surprise, 
| said to myself, | knew the former name very well, as it was 
the developer who helped me patch the kernel for the loading 
splash three years ago. | began interested and tried to install 
Gnome. It compiled well both from the stable sources 200901, 
and 200902 and even on current. | tried automounting with hal 
and it worked (after asking Jared Mc Neill for help again). | tried 
Flash 10 on native Firefox 3 and it worked. Well, it really seems, 
there is something going on in the NetBSD world! If you like 


a preview of what we can expect from the NetBSD Desktop’s 
project, here come my notes of how to install NetBSD with all 
what a desktop needs. 


What a desktop needs 
Let's find out what a regular spoiled Linux user expects from 
a desktop: 


complete Gnome or KDE 

nice splash while loading and cool look 
automounting USB and CDROM devices 
easy printing 

easy CD burning 

easy scanning 

OpenOffice, PDF-reader, streaming player 
Skype, ICQ, Jabber, etc 

DVD playing 

Internet streaming music playing 


and a lot of other special things, | believe. Even though the 
items above are probably standard, I'll take you on a guided 
tour and we'll see if those things work on NetBSD or not. 


The binary packages 

The package management system on NetBSD is very unique. 
Thanks to backwards compatibility you can theoretically use 
a package compiled for two years old release on the newest 
kernel and userland. You can also use the newest packages 
on a two years old kernel and userland, e.g. Use 200902 
branch packages on NetBSD 4.0 if you like. If you use a 
package compiled for a different release, it does not always 
work, but if there are not many changed dependencies it is 
likely to work. In some cases, that can save you, when the 
current package will not compile. It has its advantages and 
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drawbacks. It was more then once that 
| had to use a package compiled for 3.0 
release with an old packages branch on 
my 4.0 release, if | remember correctly, 
it was the rsync package, when it failed 
to compile. Of course, you never can 
achieve that stability and perfection like 
with the OpenBSD packages compiled 
only for one Xenocara release and kernel 
version, however, it often allows you to 
find a solution when the current package 
is missing, especially if the package 
does not have too many dependencies. 
You can find the packages for intel 
platform on: fto://ftp.netbsd.org/pub/pkg 
src/packages/NetBSD/i386/5.0_ 
200902/All, the number 5.0 refers to the 
release of NetBSD the number 200902 
refers to the frozen state of PKGSRC after 
the 2nd quarter of the year 2009 to use 
that normally as a repository you have to 


# export PKG PATH=ftp:// 
ftp.netbsd.org/pub/pkgsrc/packages/ 
NetBSD/1386/5.0 200902/Al11 


If you want it to be permanent then paste 
the above line into /etc/profile — if it 
does not exist, you have to create that file 
using the packages. Then it is very easy: 


adding a gnome desktop package: 
# pkg_add -v gnome 

deleting the rsync package: 
# pkg delete rsync 

deleting all packages at once: 
# pkg delete '*!' 


This can be very useful if you are 
upgrading from one set of packages 
to the newer, e.g. From 200901 to 
200902. 

finding out which packages are 
installed: pkg info on searching for a 
package | truly recommend Swedish 
web engine: http://pkgsrc.se. 


It is very helpful in finding any package or 
its proper name or version. It allows you 
to search all packages or only those in 
CURRENT branch or the stable 200902 
branch or earlier. 

| do not use packages from NetBSD, 
and | do not recommend it generally. 


Is NetBSD ready for a desktop? 


Thanks to the backward compatibility 
and possibility to compile packages from 
almost any branch against any release of 
NetBSD and any kemel, a number of them 
are often not compiled against the same 
kernel and userland as you are using, so 
they do not always work as expected. 





My latest bad experience was the 
GDM binary from the 200901 that 
installed without hesitations but always 
collapsed when trying to start. After 
searching in the error the logs | found 
out the binary was trying to use the old 
version of X server and so | had to make 





Listing 1. rc.conf 


# SNetESD: me,conn,v 1,96 2000/10/14 173012290 waz Exp 5 

# 

# see rc.conf(5) for more information. 

# 

7 U5e program —lio «oO enable program, NO GO disable Ie. program tags are 
# passed to the program on the command line. 

# 

# Load the defaults in from /etc/defaults/rc.conf (if it's readable). 
# These can be overridden below. 

# 

if [ -r /etc/defaults/rce.conf ]; then 


. /etc/ deraulis/rc scont 
fi 
# tf Enis 2S NOs Seu LO vio, 
# 


Heme ommo mites — VES 


the system will drop into single-user mode. 


# Add local overrides below 
Wecoms— lio 
dhclient=YES 
sshd=YES 
famd=YES 
rpcbind=YES 
dbus=YES 
hal=YES 
avahidaemon=YES 
gdm=YES 
cupsd=YES 
slpd=NO 


Listing 2. Adding more applications 


#! /bin/sh 
cd /usm/pkgsre/print/ cups && 

make install && 

cd /usr/pkgsrc/sysutils/gnome-volume-manager && 
make install && 

cd /usr/pkgsrc/multimedia/adobe-flash-plugin && 
make install && 

cd /usr/pkgsrc/www/firefox3 && 

make install && 

cd /usr/pkgsrc/www/nspluginwrapper && 

make install && 

cd /usr/pkgsrc/net/skype && 

make install && 

echo "Skype, 


firefox3, nspluginwrapper, flash and cups printing system have 


installed succestully-on your Ssysvem! 
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link from the new to the old directory 
to make it work. So what do | use and 
recommend? | use packages that | 
compile myself and | use the magic of 
pokgsrc — the packages source. 


Pkgsrc 
PKGSRC is a system similar to FreeBSD’s 
ports and portage in the Linux world. 
PKGSRC is a hierarchy of folders and 
files where information how to compile 
packages, where to get them, how to 
patch them and pack them for NetBSD is 
stored. And it works. It works on NetBSD, 
it works on OpenBSD, Solaris, DragonFly 
BSD, Linux.. probably even on a more 
recent version of a kitchen toaster. 

Once you get into it and understand 
how it works and how to hack it, nothing 
will stop you. 





NetBSD has a great documentation 
and you will find there where to grab 
it and how to install it. Once installed, 
the PKGSRC resides in /usr/pkgsrc 
on a NetBSD machine. There are not 
only sources of real packages but also 
sources of so called meta-packages. So 
make sure your connection to the Internet 
works, become root and descend to the 
folder called meta-packages and go to 
the gnome folder: 


Sil 


# cd /usr/pkgsrc/meta-pkgs/gnome 


Then you can have a look at the Makefile 
where information of what will compile is 
stored. 

You can comment out some things 
or add others if you like, however, you 
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Figure 2. pkgsrc website 
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should know what youre doing before 
doing so. Then you tell the system to 
install the complete desktop: 


# make install 


and the circus starts, after a day or two 
— depending on your connection speed 
and PC capabilities, your gnome desktop 
is there and you will see this message 
appear 


SNetBSD: MESSAGE,v 1.6 2009/03/17 14: 
46:39 jmcneill Exp $ 


In order to get the GNOME Desktop 


running properly, you need to follow 


these manual steps: 


1) Enable the File Alteration Moni- 


tor; See pkg inito —D Tam for more 


information. If you chose to use 


gamin instead of fam, you do not 


need to take this step. 


2) Enable the system dbus’ daemon. 


In order to do that, copy the 


S{PREFIX}/dbus script to /etc/ 


rce.d and add dbus=YES to your / 
etc/rce.conf file. 


3) Enable the hal daemon if GNOME 


has been built with the hal option 


(the default). In order to do 


that, copy the S{PREFIX}/share/ 
examples/rc.d/hal script to /etc/ 
rce.d and set hal=YES in your /etc/ 
rc.conf file. 

4) Enable the daemon 


cups Le ou 


installed it. In order to do that, 
copy the S{PREFIX}/share/examples/ 
re.d/{cupsd;slod} scripts to /etc/ 
rce.d and set cupsd=YES and slpd=NO 
in your /etc/rc.conf file. 

the 


5) Set up gnome-screensaver 


PAM service by creating the / 


etc/pam.d/gnome-screensaver file. 
You can use one of the files in 
S{PREFIX}/share/examples/gnome- 
screensaver/pam.d as templates. 


6) Optionally enable the Avahi DNS 


Service Discovery service if you 


installed it. In order to do that, 


copy the ${PREFIX}/share/examples/ 


rc.d/avahidaemon script to /etc/ 


re.d and set avahidaemon=YES in 


your /etc/rc.conf file. 


7) Optionally enable GDM (highly 


recommended). Just the 


copy 
S${PREFIX}/share/examples/rc.d/ 
gdm script to /etc/rce.d and add 


gdm=YES to your /etc/rc.conf file. 


You really should do what they say if you 
want your computer run gnome properly. 


The /etc/rc.conf 

To explain what is going on one has to 
understand how the system works. Pkgsrc 
does not make applications and servers 
Start automatically instead — it leaves the 
choice up to you. So it installs all the starting 
scripts Into: /usr/pkgsrc/share/examples/ 
rc.a/ They do nothing there, however, if you 
copy them into /etc/rc.a/ they are ready 
to use by the rc.cone file containing main 
system start-up configuration. The rc.conf 
is a the main starting script config. NetBSD 
uses only this one, in fact. In FreeBSD there 
are also other files to use for starting scripts 
and modules loading besides /etc/re.cont 
and in OpenBSD /etc/rc.cont iS rather 
stagnant as most configuration happens in 
Jetc/rc.local ON /etc/rc.conf. local. 


Is NetBSD ready for a desktop? 


Under NetBSD you have a _ very 
simple control over everything that 
the system launches just in one file. 
Services are switched on with simple 
YES and off with simple NO and you are 
ready to go! This choice makes NetBSD 
very powerful. The creators of a rather 
recent linux distribution, the Archlinux, 
who understood the advantage and 
adopted this concept too. 

So if you want to have an openssh- 
server running on your desktop just 
Gdd sshd=yes intO your /etc/rc.cont. 
A sample rc.conf, that is enough for 
running a desktop looks like this (see 
Listing 1). But let us move back to 
pkgsre. 


The /etc/mk.conf 
The file called contains 
information on compiling. You can put 


mk.conf 


Listing 3. Editing /usr/pkg/etc/PolicyKit/PolicyKit.conf\ 


<7 il versron— 1. 0" emcoding— UL 3) o> SS <= XM = 


<!DOCTYPE pkconfig PUBLIC "=//freedesktop//DID PolicyKit Configuration 1.0/ 


/EN" 


"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd"> 


<!-- See the manual page PolicyKit.conf (5) 


<conhig vyersron—"0.1"> 


<match user="root"> 


<return result="yes"/> 


</match> 


<match user="peter"> 


<return result="yes"/> 


</maceh = 


for file format --> 


<define admin auth group="wheel"/> 


</ comfig-= 


Listing 4. Scanning 


# sane-find-scanner 


sane-find-scanner will now attempt to detect your scanner. 


# 
# result is different from what you expected, first make sure your 
# 


If the 


scanner iS powered up and properly connected to your computer. 


# No SCSI scanners found. If you expected something different, make sure 


eles 


# you have loaded a kernel SCSI driver for your SCSI adapter. 


found USB scanner (vendor=0x03£f£0 


scanjet]) 


[hewlett packard], product=0x4105 


[hp 


at libusb:/dev/usb0:/dev/ugen0O 
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various options here, but for the moment 
we will stick to allowing pkgsrc to compile 
things we need and accept licenses and 
add these lines to /etc/mk.conf: 


ACCEPTABLE LICENSES+= ftlash-license 





ACCEPTABLE LICENSES+t= skype-license 


lf you are interested what you agree with, 
go to the pkgsrc file containing sources 
of that program and issue the following 
command: 


S cd /usr/pkgsrc/net/skype 


S make show-license 


Adding more applications 

We now have a nice NetBSD desktop 
with GNOME environment, but we are 
still nowhere, no Firefox, no Flash, no 
automounting no nothing a spoiled Linux 
user considers appropriate for a desktop. 
Here is a sample script that will do the 
choice for you, feel free to change it to 
your needs (see Listing 2). 


pkgsrc on a laptop 

You have probably noticed that a Gnome 
desktop compiles a day or longer and 
another extra hours are needed to 
compile the rest of applications you 
want. Who can stop using his/her laptop 
for three days or longer? Here packages 
come handy. As | showed above, 
packages from the Internet repository 
can be rather a risky solution. So let's 
make them on our own, there is nothing 
easier. For example using a script (| bet 
there is hundred people who can make 
it more simple and clean, but this one 
works): 


#! /bin/sh 

Lor i. in /usr/pkosro/*/> 
do 

if test =d. 22 

then cd $i 

if test -d work 

then 

make package 

fi 

fi 


done 


This script searches your PKGSRC 
collection to find which packages have 
been compiled (they are the folders which 
have stale work in them) and proceeds 
with making packages. The compiled 
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packages appear in your /usr/pkgsrc/ 
packages/All folder Now you can copy 
them to your NetBSD laptop and then go 
to the folder with packages: 


# pkg add ./gnome ./skype ./firefox3 
(and similarly on, it solves 


dependencies well) 
or simply: 
# pkg add * 


Then quick installation from packages 
breaks out and your laptop is ready in a 
few minutes. Of course, you have to do 
the configuration job with rc.conft and 
copy starting scripts again. This can be 
done on slow computers or emulated 
machines as well. 


Cleaning pkgsrc 
After the installation process, you will find 
out that your /usr partition is running out 
of space. That is because after cleaning a 
lot of pkgsrc files still contains stale work. 
The official web-site tells you that the 
only safe way to clean ports is to go to 
the main directory and do the following: 


# cd /usr/pkgsrc/ 


# make clean 


9 polodek, Volne mista: 408.2 MB. 


Figure 3. Automounting with Hal 


After two or three days the pkgsrc is perfectly 
clean. The average person does not have 
that much time, so if you want to save some 
time, here is a script for your comfort 


#! /bin/sh 

for i in /usr/pkgsrce/*/* 
do 

if test —d.-Si 

then cd $i 

if test -d work 

then 

make clean 

fi 

fi 


done 


Configuring and tweaking 

Well, now we think the basic work is done. 
Yes, we have the applications, but most of 
them will not do what we want yet. 


Make flash work 
As root issue ad command: 


# nspluginwrapper -1l 
/usxr/pkg/lib/ 
netscape/plugins/libflashplayer.so 
Oh eae 


Original plugin: 
Wrapper version string: 


This shows us where the plugin lies. 


Therefore we know what to install: 


10% GO] | Zobrazenis konami | 3 


RECORD 
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# nspluginwrapper -i /usr/pkg/lib/ 
netscape/plugins/libflashplayer.so 


Now fire up your Firefox 3 and you 
are in a flash heaven on Youtube. See 
the screenshot from youtube.com 
(Figure 5). 


Make hal automount 
the USB flash key and others 
Make sure you have installed gnome- 
volume-manager. Then — edit 
pkg/etc/PolicykKit/PolicykKit. cont \ 
and make sure it looks like this (see 
Listing 3). You need to change this line 
<match user="peter"> to whatever your 
username is. This gives you the power 
to mount volumes with hal and more, 
e.g. Suspend and resume. Originally, this 
file only allows root to mount volumes. 
It can be edited much more cleverly 
using groups and such. See study hal 
pages about Policykit if you like: http: 
//hal.reedesktop.org/docs/PolicyKit/. 
Now, the usb-key mounting or cd- 
rom mounting should work. In case you 
still come across any difficulties, check 
if cdrom or usb is quoted in your /etc/ 
fstab. lf So, comment out those lines. Hal 
does not use /etc/fstab for mounting 
usb-keys or CDs. See the screenshot 
showing aqutomounted USB Iriver player 
T20 (Figure 3). 


fasr/ 


Make Skype talk 

Skype works under Linux emulation on 
NetBSD. It takes some time to start and 
| haven't found a solution how to make 
sound on Skype work with Pulse audio, 
that comes compiled with Gnome 2.26. 
now. If you kill pulse audio server, things 
can work. It is in the process now, clearly, 
as in 2009Q2 skype 1.4 only chatted. | 
had to download Skype 1.3 from the 
NetBSD distfiles and after unpacking 
and running it | could call, it was stable 
and | could speak and hear everyone 
normally. In current pkgsrc, Skype 1.3 
did not speak to me at all while the nice 
Skype 1.4 did play sound and before it 
got completely stuck it even started to 
record from my microphone. It is very 
probable that even version 1.4 will soon 
work. 

To make Skype talk you have to 
do several adjustments to the system 
settings. 

In any case, to use skype as a user 
you have to ajust your permissions of 





Is NetBSD ready for a desktop? 


/dev/sound* /dev/audio* QGNd /emul/ Then enable your system to recieve # audioctl -w fullduplex=1 
linux/dev/dsp* /emul/linux/dev/sound*. and send audio at the same time: 


This will switch your microphone on: 


iaoduel 





Soubor Upravit Zobrazit Terminal Napovéda 
# nspluginwrapper “|| # mixerctl -w inputs.mic.mute=off 
nspluginwrapper, configuration tool. Version 1.2.2 


And adjust microphone recording level: 


usage: nspluginwrapper [flags] [command [plugin(s)]] + Mixerctl —w inputs .mic=240 

-h --help print this message ee 

-v --verbose flag: set vaken mode Make CUPS print from all applications 

-a --auto flag: set automatic mode for plugins discovery By default the path is setup so, that when 
-n --native flag: allow native plugin(s) to be wrapped ee i . 

-1 --list list plugins currently installed printing applications are set-up to use 
-u --update update plugin(s) currently installed /usr/bin/lp instead of /usr/pkg/bin/ 


-i --install [FILE(S)] install plugin(s) 


-r --remove [FILE(S)] remove plugin(s) lp. We need to be able to use cups, so 


we have to do the following (saving the 


original files): 

#¢ op /usr/bin/lp /usr/bin/lo.old 
# nspluginwrapper -i # cp /usr/bin/lpr /usr/bin/lpr.old 
nspluginwrapper: expected plugin(s) file name to install h ep /wsr/bin/lpq /usr/bin/1pq.old 
# nspluginwrapper -1 . 
/root/.mozilla/plugins/npwrapper.libflashplayer.so # cp /usr/bin/lprm /usr/bin/lprm.old 


Original plugin: /usr/pkg/lib/netscape/plugins/libflashplayer.so 


Wrapper version string: 1.2.2 acs ; : es 
# # ry . Linking cups’s lp files to the original 


expected path: 











Figure 4. Using nspluginwrapper 
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Notes 


If you run PKGSRC package system on a 
different system, it is likely that your pkgsrc 
file is in a different location. In that case 
you have to change /usr/pkg prefix in the 
above examples to whatever your prefix is. 
All tests and installations were done on a 
Pentium 4 2GHz with 512MB RAM, system 
description: NetBSD 5.99.15 NetBSD 
5.99.15 (GENERIC) #0: Fri Aug 14 23: 
02:59 PDT 2009 builds@wb33:/home/ 
builds/ab/HEAD/i386/200908140002Z- 
obj/home/builds/ab/HEAD 
/src/sys/archi386/compile/GENERIC. i386 
following websites were used and are 
related to the above text: 


http://wiki.netbsd.se/ 
http://okgsrc.se/ 
http:/Avww.netbsd.org/ 
http://www.openunix.eu/ 





# In --s f/usr/pkg/bin/lp /usr/bin/1p 


# In ~s fusr/pkg/bin/lpr /usr/bin/lpr 
# ln -s /usr/pkg/bin/lpq /usr/bin/lpq 
# In -s fusr/pkg/bin/lprm /usr/bin/ 


lprm 


Then open any internet browser window 
and go to: http://localhost631 or http: 
//1270.0.1:631 if the former option 
does not work. Administering cups is 
a rose garden walk with that interface. 
Of course you might want to install 
additional drivers from hpijs and hplip. 
You can do that using the pkgsre. 


scanning 

If you want to scan as a user with a usb- 
connected scanner, install XSane and 
adjust devices to be readable and writable 
by your user. If you add yourself to the wheel 
and operator groups then it is enough to 
change the permissions as follows. 

In my case, after investigating where 
the scanner is connected, it is done as 
root like this (see Listing 4) | knew | had 
to adjust permission of these files: 


# chmod 660 /dev/usb* /dev/ugen* 


Then | ran the testing command as a 
user and | got a positive answer. 


$ scanimage -L 


device “hp3900:libusb:/dev/usb0:/dev/ 


ugen0O' is a Hewlett-Packard Scanjet 


4370 flatbed scanner 


Now | knew Xsane would find the flatbed 
scanner even for a user. 


Burning CD's 

lf you want to burn cd’s you have to adjust 
/dev/cd0* /dev/rcd* to be readable and 
writable by user. If you add yourself and 
Operator groups to the wheel then it is 
enough to: 


# chmod 660 /dev/cd0* /dev/rcd* 


Then you should check that your favourite 
cd-burner knows that the cd device is 
/dev/rcdo or similar. 


Playing DVD's with 

and without encryption 

First do the same permission adjust-ments 
as in the case of Burning CD's. Then, if you 
install vic or use totem (part of Gnome) or 
xine-ui, playing DVD is no problem. 

There is an issue with encrypted 
DVD’s. Remembering playing encoding 
DVD's is licensed and restricted in many 
countries. If you are in the country where 
it is allowed, you can install libdvdcss, 
but have to tell the system where to get 
the source and that we agree to the 
license. Add these two lines: 


LIBDVDCSS MASTER SITES=http:// 
download.videolan.org/pub/libdvdcss/ 
ACCEPTABLE LICENSES= libdvdcss-license 
into /etc/mk.conf and then go to 
terminal: 


# cd /pkgsrc/multimedia/libdvdcss/ 


# make install 


Nice look and NetBSD branding 

When the GDM _ starts you see a 
very modest login window with grey 
background and a small NetBSD logo. 
NetBSD logo also appears at the menu 
of Gnome. That's in fact all. There are 
various nice backgrounds in the Internet, 
you can download and use, but not many. 
lf you download kernel sources open the 
kernel configuration file and uncomment 
the following files, a kernel compiles with 
a nice splash screen with progress: 


# enable VGA raster mode capable 


of displaying multilingual text on 
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console 
# enable splash screen support; 
requires hw driver support 


options SPLASHSCREEN 





options SPLASHSCREEN PROGRESS 

It is not too modern, however it is quite 
stylish and nice. Orange and silver logo 
with blinking dots on the right bottom. If 
you read what Jared McNeill and Andrew 
Doran proposed for the NetBSD desktop 
we can expect visible improvement. By the 
way, if | am not mistaken, Jared McNeill 
was the person who made the current 
splash screen for NetBSD kemel. 

If you want to see what the future 
of NetBSD on the desktop is, you can 
have a look at the new proposed GDM 
screenshot for NetBSD Desktop (see 
Figure 1). 


Conclusion 

Though it does not have a 3-click-installer 
and it really takes some time and 
knowledge to set-up and tweak, almost 
everything that a desktop needs works on 
NetBSD. You can play Flash in a browser, 
you can listen to music streams, play 
DVDs, burn CDs, chat and (with some 
effort) talk over the Internet, automount 
usb-keys, mount Linux and Windows 
volumes, write documents, print and scan 
whatever you like. That means immense 
progress has been done by NetBSD 
developers (with the support of donators 
in Fund-raising Campaign last year and 
this year again) since last year compared 
to what NetBSD was a year ago. And the 
most promising point here is — if Andrew 
Doran and Jared McNeill accomplish 
their aim and bring up the NetBSD 
Desktop project to life, it will definitely be 
a challenge for PC-BSD or modern Linux 
desktops. 
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Donald T. Hayford 


Though NetBSD Is better known for supporting a wide variety of processors and systems, 
FreeBSD has an active embedded component, as well. In this article, we'll take a look at 
the ARM-based SheevaPlug and show you how to boot your Plug using FreeBSD. 


he SheevaPlug (SP) is the archetype of the plug 

computer, a new style of small computer whose 

distinguishing feature is that instead of plugging 

into a wall wart for power, it is the wall wart (see 
Figure 1). Built around the Marvell (www.marvell.com) 
88F6281 Kirkwood line of SOC (system on_ chip) 
processors, the SheevaPlug comes with Gigabit Ethernet 
(but not wireless), USB, and 512 MB of both system RAM 
and NAND Flash memory. A disassembled SP is shown in 
Figure 2. The Kirkwood processor supports a large number 
of peripherals as shown in Table 1, only a few of which 
are used by the SP. The SP is touted as a development 
system by Marvel and comes with an internal interface 
board that adds a SDIO memory slot and a mini-USB port 
that provides access to a serial port console and JIAG 
port as two different com ports. The SP is available from 
Globalscale Technologies (www.globalscaletechnologies.c 
om) for around $99US. 





Listing 1. CSUP Control File (sheeva.supfile) Used To Download FreeBSD 
Source Code 


1. # IMPORTANT: Change the next line to use one of the 
CVsup Mirror Sites 

2. # listed at http://www. freebsd.org/doc/handbook/ 
MiLerors. hac 

3. *default host=cvsup8.FreeBSD.org 

4. *default base=/var/db 

5. *default prefix=/home/hayford/sp 

6. *default release=cvs tag=. date=2009.08.09.00.00.00 
7. *default delete use-rel-suffix 

So. “deraule compress 

9 


.src-all 




















Figure 1. The ShevaPlug Computer. The USB and GigE ports are on the left, 
and the debug devices (mini-USB and SDIO memory card) are on the right 





Figure 2. The SheevaPlug Disassembled. The circuit board on the far right 
contains the development hardware (serial console, JTAG interface, USB, and 
SDIO interfaces). The circuit board in the center holds the Marvell processor, 
Ethernet port, USB port, and system memory. The power supply is under the 
metal plate in the case on the left side 
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According to the PlugComputer 
website (www. plugcomputerorg, operat- 
ed by Marvell), A plug computer is 
a tiny, low power server, intended to 
provide network-based services within 
the home..lt is an always-on system, 


and can serve data and applications 
to computing devices within the home. 
It can also be a bridge between home 
computing devices and Internet-based 
services. Low power in this case, 
means about 15 W, definitely less 


Steps Required To Build FreeBSD For The SheevaPlug 


(6/09 (0) 0) A000) = (009-00) (0/0) 0) (0) 
=~ 


mkdir -p SDESTDIR 


exit 


sie Ue SPSS SS SSE SESE 


setenv DESTDIR /usr/home/hayford/sroot 


Make instaliworla DARGHT ARC Hamm 
Make diSurip-dire TARCET ARCH=a rm 
Make GiSeribuaLion DARCET ARGH=arm 


make Duildkernel TARGET AKCH=arm KERNCONF—s Ten VAPLUG 


Comparison Of The Hardware Capabilities Of The Kirkwood Processor And The SheevaPlug 


Clock Speed 1.0 - 1.2 GHz 2 toniz 
L1 Cache 16K data, 16K program Same 
L2 Cache 256 kB same 
Memory Interface 16-bit, DDR2, up to 800 MHz 5912 MB 
Ethernet 2 — GigE Interfaces 1 — GigE Interface 
PCI-Express 1 Port None available 
USB 1 USB-2.0 Port with integrated PHY Same 
SATA 2 SATA 2.0 Ports with integrated None available 
PHYs 
TDM Channels 2 None available 
SD/SDIO/MMC 1 1 SDIO slot (can also be used as 
General Purpose IO) 
NAND Flash 8-bit NAND flash interface with boot 512 MB 
support 
SPI 1, up to 50 MHz clock None available 
TWSI (Two Wire Serial 1 General purpose master/slave port None available 
Interface) 
UART 2 Available 1, Serial Console Interface and 
Debug Interface 
Audio I2S/SPDIF None available 
Video MPEG Transport Stream None available 
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than a standard desktop or laptop. 
One variety of plug computer, based 
on the same base design as the SP 
is the Pogoplug (www.pogoplug.com), 
a device that allows you to put a 
USB storage device on the Internet so 
you can access your data from any 
computer. The Pogoplug doesn’t have 
the same development capabilities as 
the SP, so if you're interested in system 
level programming, stick with the SP 
More recently, a slightly more expensive 


ddns-update-style ad-hoc; 
OpLVom Submer—mMesk 255.255 259.0% 


default-lease-time 2592000; 
allow bootp; 
allow booting; 


Opulon. Lrourers ion, bec. i, ihe 


CS OS) les) O10 CO) 


4 dO Ghese lines £0 6C.conr 


oh See eel Nn Se 


Le niece = ie 


I 

Z 

a Ppecbind enable— vino” 

é 

a oe loci emails = vn 
6 


Se Poser seme nS! 





Opelon domeim—=maene-Seryers Kit xxx. mx. Ke, 


device has become available that takes 
better advantage of the Kirkwood’s 
capabilities; see www.open-rd.org for 
information on the SP’s big brother, the 
OpenkRD platform. 

Not surprisingly, the SP comes with 
Linux preloaded in the flash memory, 
along with U-Boot, a powerful boot 
loader that has become very popular 
on ARM-based devices. Both FreeBSD 
and NetBSD offer support for a number 
of varieties of ARM devices, and Rafal 


Listing 3. DHCP Configuration File On The DHCP Server 


COpElon broedeéact address 697,165.12 ao; 


# Use your nameserver address 


iO. subnet oo 16s. 20 nepmask 255.255.255.084 


Listing 4. Fragment Of The File etc/inetd.conf On The TFTP Server 


1, # ©Un Comsat as root to be able to print partial mailbox contents w/ biff, 
2. # or use the safer tty:tty to just print that new mail has been received. 
3. #comsat dgram udp wait tty:tty /usr/libexec/comsat comsat 

4. # 

De ¢ Gbelk 1s required tor the “calk Weility bo work Correctly 

6. #ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd 

vs eri dgram udp wait root /usr/libexec/tftpd 

8. EEtp dgram udp6é wait root /usr/libexec/tftpd 


Listing 5. Add These Lines To /etc/rc.conf To Enable The NFS Server (FreeBSD) 


Jaworowski_ (http://www.semihalf.com) 
recently announced support for a 
number of Marvell devices on the 
FreeBSD-ARM mail list. Consequently, 
it is now possible to build a version of 
FreeBSD that will boot on the SP. While 
building and running FreeBSD on an 
embedded processor is_ interesting 
in its own right, we will also use this 
Opportunity to compare the NetBSD 
build and installation process. with 
FreeBSD’s. 


# Put your NFS server here 


Heals Range o7 68 NOES steel eo: 

lea } 

le 

14. group { 

dei host sheevaplug { 

ee hardware ethernet 00:50:43:XX:XX:XX; # Use your MAC address 
i ixed=address 1925168... 109; 

18% mMext=server 1921628. 1.1 71; # Use your TFTP server address here 
Ibo Option coOeE-parm "192,166.11 ]/1:/usr/ home/hayrord/sroot'; 

AO } 

Zales } 


tktod =l =s /titpbooet 
creo =. —o )/ EeEpooor 
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What you'll need: 


A SheevaPlug — (htto://wwwglobals 
caletechnologies.com/p-22-she- 
evaplug-dev-kit-us.aspx). 

A Windows computer that can run 
the driver software from Marvell 
so you can talk to the SheevaPlug. 
There is information available on the 


web (http://dev.gentoo.org/ armin76/ 
arm/sheevaplug/install.xml or http:// 
mail-index.netbsd.org/current-users/ do. 
2009/05/25/msg009557html) that 
shows how to use Linux or NetBSD 
to talk to the serial port on the 
SheevaPlug, if you'd like to try that. 
Be forewarned that some of these 
methods require you to reflash the 





FreeBSD on the SheevaPlug 


SheevaPlug. Besides, you needed to 
something for that Windows box to 


A computer (X86-compatible) that 
runs a recent version of FreeBSD. 
For reasons we'll discuss below, the 
build/boot process will be easier if this 
computer is also the NFS server that 
your SP can use as a d root drive. 


Listing 6. The /etc/exports File That Allows The SheevaPlug To Attach To The Root Directory 


1. #The following examples export /usr to 3 machines 
named after ducks, 

2. #/usr/sre and /usr/ports read-only to machines 
named after trouble makers 

3. #/home and all directories under it to machines 
named after dead rock stars 

4. #and, /a to a network of privileged machines 
allowed to write on it as root. 

5 #/ usr 


huey louie dewie 


6G. #/USr/src 7/Usr/obj] =-ro calvin hobbes 


7. #/home red ais janice jimmy frank 
8. #/a -maproot=0 -network 10.0.1.0 -mask 
ZOD Wo Ooae te. 

9. # 


10. # You should replace these lines with your actual 
exported filesystems. 

ll. ¥ Note tchak BSD's Exper’ Syntax 1S "host —-cenmtric’ 
VS. oun’ SS) PS-ceneric’ One. 

12. /usr/home/hayford/sroot -maproot=root -network 


lo2, 68. mask 255,255 3255.0 


Listing 7. Loading The FreeBSD Kernel Onto The SheevaPlug With TFTP 


a ee en (re 
nee ee ae 
eer ee de ee 
ge oa ees ts a ( 
iY ae | mn cr 
Pe ee 
fee hes ee) ee ak ee 
ee ee ee ee 


** MARVELL BOARD: SHEEVA PLUG LE 


U-Boot J..4 WMar 19 2009 — 16-06-50), Mervell version. 
Bie eliG 


U=Boot code: 00600000 => O067FFFO BSS: => Q06CEESO 


Soe: S8F6281 AO (DDRZ) 
CPU running @ 1200Mhg bh running |] 400Mhz 
SysClock = 400Mhz , TClock = 200Mhz 


DRAM CAS Latency = 5 tRP = 5 tRAS = 18 tRCD=6 
DRAM CoO) base 0x 00000000 Size Z56MB 


DRAM CS[1] base 0x10000000 Size 256MB 


DRAM Total size Sl2MB 6b widen 

Piach: 7°90 kB 

Addresses 8M —- OM are saved for the U-Boot usage. 
Mem malloc Initialization (8M - 7M): Done 


NAND:512 MB 


CPU : Marvell Feroceon (Rev 1) 


Streaming disabled 


Write allocate disabled 


USB 0: host mode 
PEX O: interface detected no Link. 
Net: egiga0 [PRIME], egigal 
Hiteany key EO Stop eautoboor: 0 
Marvell>> dhcp 
BOOTP broedcase i 
DACP *clrent bound Lo address 192.168. 1-109 
Marvell>> tftpboot 900000 sp/kernel.bin 
Using egigaO device 
TELP £20m setver 192 ec 1 1 /l, our LP address is 
O22 Gen. 100 
Filename 'sp/kernel.bin'. 
Load address: 0x900000 
LOAGiNG: ###FFFFETEAEERETEEEEREEETEREEREEER EE EEE EEE EEE 
HHEPRERERER EERE REE 
PREEREREREREEEEREREEEPE ERE EERE EEE EERE EEE 
HHEPREREREREE EERE EEE 
HHEEREREREREEEPRERETEPEEEEEE EE EEE EEE EERE EEE 
HERPREREREREE EERE 
FREER EREREREEEPREREEEPE EEE TE EEE RE EEE EERE EEE 
HEEPRERERER EERE REE 
PHEEREREREREEEPREREEEEE EEE EE EERE EEE EERE EEE 
HEEPRERERER EERE REE 
FREER EREREREEEPREREEEPEEEEEE EEE EERE EEE EERE EEE 
HHEPREREEEREE EERE 
HREEREREREREEEPEEREEEEE EEE EEE EEE EERE EER 
HHPPREREREREE EERE REE 
FREER EREREREEEPREREEEEE EEE TE EEE EEE EERE EEE 
HEEPRERERER EE EEE REE 
HHEERERERET EEE 
done 
Bytes transferred = 2729908 (29a7b4 hex) 
Marvell>> go 900000 
## Starting application at Ox00900000 2... 
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A computer (can be the same as 
in 3 above) that will act as a DHCP 
server and TFIP server 


Getting and Building FreeBSD 

If you've followed along with some 
of the articles from this magazine 
that deal with building NetBSD for an 
embedded system, you'll notice some 
immediate differences when you go to 
build FreeBSD. For example, NetBSD 
uses a build script that will run on 
virtually any Unix-like system. Partly this 
is because the script builds most of the 
ancillary software the NetBSD needs; 
as a result, it can take a lot longer to 
build NetBSD for an embedded system. 
With FreeBSD, on the other hand, you 
pretty much have to build it using 
a FreeBSD system. NetBSD’s build 
scripts allow slightly better control over 
where the object and executables end 
up. | also had trouble getting FreeBSD 
to install the world files to a NFS-shared 
directory on another (Linux) machine 


LO”~ tactload = 


19. reset 

20. resetenv 
Zee ted 
22. saveenv 
23. setenv 
235, USD = Use sub—syvcrem 
26, usbboot 


2 i eteS cO ll 





and ended up using a FreeBSD system 
as the NFS server for the root system. 
All-in-all, the differences between the 
two systems are relatively small. My 
prediction — you'll forget about all of 
these once you see how much faster 
FreeBSD builds. 

Like NetBSD, FreeBSD uses CVS 
to manage the souce code repository. 
Instead of using CVS directly, however, 
FreeBSD supplies an application csup 
that uses an external file to control how 
and where source code is downloaded. 
The control file for this project is shown 
in Listing 1. You need to change line 3 
to reflect the CVS host you will be using 
for the download; see the instructions in 
lines 1 and 2. You'll need to change the 
directory in line 5 to Show where you want 
the source code placed, and Line 9 says 
to download all of the source files, which 
you'll want. I've added a date tag to line 6 
so that the downloaded files are from a 
date that we know will build and run cor 
rectly on the SP (but see the Note). 





Listing 8. Partial Listing Of The U-Boot Command Line Interface For The SheevaPlug 


1. Marvell>> help 

Zion = alias for “help! 

3. base - print or set address offset 

4, (bOOL = boot derauli, 1.62, rum “booremd’ 

5 Cpumap - Display CPU memory mapping settings. 
6. dhcp = invoke DHCP client to obtain IP/boot params 
To extZlload-= Joad binary file Erom a ExtZ filesyscem 

So, exEZis = list files in a directory (default /) 
ee eae lao - print information about filesystem 


load binary file from a dos filesystem 


ie eels = list files in a directory (default /) 
Ie ee) = Stare epolicabiom war sdearess . addin’ 

13. help - print online help 

A es = list files in a directory (default /) 

15. map - Diasplay address decode windows 

io. md - memory display 

Wee orig, = send CMe ECHO REQUEST EO neework hose 


18. printenv- print environment variables 
= Perform RESE! of the CPU 
- Return all environment variable to default. 
—- run commands in an environment variable 
- save environment variables to persistent storage 
- set environment variables 


24, trtpboor— boot amage via nelwork wsing TRIP protocol 


- boot from USB device 


= print monitor version 
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Note 


When this article was written, support 
for SheevaPlug was still experimental. 
By the time you read this, SheevaPlug 
should be fully supported in FreeBSD 
8; however, the build instructions were 
written to show what works, not what may 
(or may not) be available when you read 
this. The instructions, as written, will still 
work, however, you most likely won't need 
Lines 4 and 6, and the supfile you use in 
Line 2 should now be the standard supfile 
for FreeBSD 8. See the FreeBSD-arm 
mailing list (in the Resources section) for 
more details on current support features for 
SheevaPlug. 


Listing 2 shows the commands that 
are necessary to retrieve the source files 
and to build both the kemel and the world 
(all of the files that FreeBSD needs to run 
that aren't actually part of the kernel). On a 
reasonably fast machine, this process will 
take a few hours, including the download. 
Line 2 is used to download the source 
code and Line 3-6 will get and apply the 
patch needed to build the SP kemel. Line 
7 is used to control where the files are put 
during the build, while Line 11 controls 
where the root directory will be put during 
the build process. Note the difference 
between lines 7 and 11; my normal user 
shell is bash, while the root shell is csh. 

The fact that part of the build steps 
requires you to change to the superuser 
is another difference between NetBSD 
and FreeBSD. Part of the reason for 
this is that FreeBSD sets the immutable 
bit on system files so they cant be 
inadvertently changed, which only the 
Superuser can do. This also makes it 
more difficult (or impossible — | couldn't 
find a work-around) to install FreeBSD to 
a remotely-hosted NFS file system. 

Once you have finished building 
FreeBSD, you will need to setup your local 
network to provide aq DHCP server, a NFS 
server, and a TFIP server. Since | already 
had a DHCP server on a Linux machine, | 
didn’t set one up for this project, but doing 
so is straight-forward. See the Resources 
section for information on how to do this 
on FreeBSD. Regardless of the system 
type, you'll need to make sure your 
/etc/dhcpd.conf file has the lines shown in 
Listing 3. Make sure the root directory you 


put in the DHCP configuration file is the 
same location that you used on Line 11 of 
Listing 2. A common mistake is to have 
multiple DHCP servers on the network. If 
you have a router, you probably already 
have a DHCP server. Unfortunately, most 
routers can hand out addresses but can't 
handle the additional options you'll need 
for the SP so you'll need to disable your 
routers DHCP capabilities and create 
your own DHCP server. 


For the TFIP server, edit /etc/ 
inetd.conf as shown in Listing 4 and 
uncomment Lines 30-31. Note that your 
line numbers may be slightly different. To 
enable the NFS server on FreeBSD, add 
the lines shown in Listing 5 to your /etc/ 
rc.conf and create (or add to) the file / 
etc/exports GS shown in Listing 6. Here, 
make sure you export the same directory 
as listed in your DHCP configuration file 
and that you used in Listing 2 to build 


Listing 9. Partial Console Output From Booting FreeBSD On The SheevaPlug 


Copyright: (ce) 


Copyright (c) 1979, 1980, 1983, 1986, 


1992-2009 The FreeBSD Project. 
1933, 


OCS, Toole 1992 7 ho os 7 oo4 


The Regents of the University of California. All rights reserved. 


FreeBSD is a registered trademark of The FreeBSD Foundation. 


PreeBSD €.0=BETAZ #02 Sat Aug 22 .21:201749 EDF 2009 


FreeBSD on the SheevaPlug 


the root directory on. Because of the 
immutable bit difficulty described above, 
| ended up building the root directory 
locally and then sharing that using a NFS 
server on FreeBSD. 


Booting the SheevaPlug 

Now were ready to boot up the 
SheevaPlug. If you haven't done so, you'll 
need to install the drivers for the SP’s USB 
serial port, and you'll need a program 


hayford@freegemu: /usr/home/hayford/obj/arm/usr/home/hayford/sp/src/sys/SHEEVAPLUG 


Preloaded elf kernel "elf kernel" 
CPU: Feroceon 88FR131 rev 1 
Sooo TOO 
520634368 
(Ox628130x02) 


real memory = (S12-> MB) 


avail memory = (496 MB) 


SOC: 


Marvell 88F6281 rev AO, 


aie wUxcObb4ileds 


(write-through core) 


WCloEekk ZOOMisw 


Instruction cache prefetch enabled, data cache prefetch enabled 


2560KB 4-way set-associative write-through unified L2 cache 


mbusO: <Marvell Internal Bus 
Leo 
timer0: 
mee Ok 

GpoLo0 
eit Ol 
Warr. console (115740 me, I) 
(eee le 
Uetrl  taer dine ercuipic 
ehci0: 

UsSbusi: 
mge0Q: 
miibus0: 


el000phy0: 


<MII bus> on mge0O 


usbus0: 480Mbps High Speed USB v2.0 


POOEPC TUMLE a Wired: FO titertace mga), 


Sending DHCP Discover packet from interface mge0 


mgeO: link state changed to UP 


Sending DHCP Request packet from interface mge0 
Received DHCP Ack packet on mge0Q from 192.168.1.171 
moeO tar M2 lee 10S server 12 Ge. ly le book file 
SUbNeE Mask 255,7255.255.0 Louver 192 1638.1. 1. roorres 


Inying LO Moun £oOom Erom mig: 
NES ROOd: 


Sisco -iWiess ety nouy/ slog My acimale 


(Mous)> on motherboard 


<Maryelll CPU Limer> act mem OxrlO20500-0xfl0Z032r ang 1 on mous 
<Marvell Integrated RTC> at mem 0xf1010300-0xf£1010307 on mbus0O 


<16550 or compatibile> ar mem O0xrlO12000-OxtlOlZ01n tmeg 33 om mbus0 


<l16550° Or compatible> an mem OxblQ12100-O0xflOIZlin irq 34 om mbus0 


<Marvell Integrated USB 2.0 controller> on ehci0 


<Marveliy SShliioR Gigabit PHY> PHY OFon minbus0 


(OO SOAs sis eA ea) 


(O02 S024 3 Oui CAs iia) 
(accepted) 
/tfitpboot/sp/kernel.bin 


1S? 68.1 wiy ils /ust/ nome, hayrord/ srock 


Enter full pathname of shell or RETURN for /bin/sh: 


# mount 


Ie2 beset, l/l / use/ homey hayrord/srook on / 


devige on /dev mMdevis,. local) 


# 


(nis, read-only) 


(GOEL eGOOL pach) 


<Marvell Integrated Interrupt Controller> at mem 0xf1020200-0xf102023b on mbus0O 


<Marvell Integrated GPO Controllers ar mem OxkElOlOIO0-OxrlO0l1OIIG urq 35,36, 37,33,39,40,41 on mbus0 


«Marvell Integrated USB 2.0 controller> at mem Oxrl050000-0xfI1050nft arg 48,19 on mbus0 


“Marvell (Gigabit Heherne: controliler> av mem Oxrl07/2000-0xrlG7srrk mrg 12,135,714, 11,746 on mbusd 


92, 68 ly: / usc) home) hayrord/sroot 





www.bsdmag.org 








‘@ how-to’s 


62 


that runs on Windows that allows you 
to use the serial port. Regardless of the 
version of Windows, my favorite is PulTY, 
available from http://www.chiark.green 
end.org.uk/ sgtatham/putty/, Plug the 
mini-USB connector into the SP and your 
Windows computer, start PulTY, and use 
the serial port to login to the SP Chances 
are that the SP will boot into Debian 
Linux long before you get PuITY up and 
running, SO you'll need to login to Debian 
(user: root, password: nosoup4u) and 
reboot the SP At this point, you should 
see output similar to that shown in the 
top part of Listing 7 Hit any key when you 
see the command to stop the SP from 
booting back into Linux, and type a 2, as 
shown at the top of Listing 8. You'll get 
a long list of available commands that 
U-Boot understands; generally, entering 
? <command-name> Will get you more 
information on that particular command. 
At this point, we will only need to use 
three, dhcp, tftpboot, and go, AS shown 
in the bottom half of Listing 7 but | left in 
some of the more interesting commands 
if you'd like to explore U-Boot a little. Once 
the kernel has been loaded (at address 
Ox900000 —- another common error is 
to use the wrong load address), type in 
the go 900000 command and you should 
see the FreeBSD bootup text scroll by as 
shown in Listing 9. When it’s all finished 
you should be logged into the SP as root. 
From that point, | recommend that you 
setup a user and follow the normal steps 
to generate a useful FreeBSD system. 
The second most common problem 
at this point is if the SP is unable to 
mount the NFS file system as it’s root di- 
rectory, usually because the NFS server 


Resources 


isn't setup correctly or the DHCP server 
didn’t tell the SP either the right network 
address or folder name. Towards the bot- 
tom of the bootup output (Listing 9), you'll 
see the message: 


Received DHCP Ack packet on mgeOQ from 


192.168.1.171 (accepted) (got root 
path) 

mgeO at 192.168.1.109 server 
192.168.1.171 boot. file. /titpboot/sp/ 
kernel.bin 

subnet mask 255.255.255.0 router 
192, 160,1.1. Bootts 192.166.1171 


/usr/home/hayford/sroot 


If these lines don't look right or if you 
dont see the got root path message, 
check your DHCP configuration file and 
verify that the root directory is specified 
correctly. With NetBSD, you can set the 
kernel to ask for the location of the root 
device; convenient when you are start- 
ing out. FreeBSD isn't quite so flexible 
and the DHCP server must supply the 
correct root location for a NFS-mounted 
root system. 

If you're a little adventurous, you can 
play around with the environment saved 
in the SP flash that is used by U-Boot to 
make the SP boot up into FreeBSD (us- 
ing TFTP and NFS) automatically. But I'll 
leave that as an exercise for the reader. 


Getting Help 

Like NetBSD, FreeBSD has a wiki that 
contains a lot of useful information on 
running and installing software, includ- 
ing FreeBSD itself. You can go to the 
wiki at wikifreebsd.org for the latest 
information on ARM support. One differ- 


Information on SheevaPlug hardware: http://www.plugcomputer.org/data/docs/tech/ 
SheevaPlug%20Devkit%20Reference%20Design-Rev1.1.pdf 

The FreeBSD web site: htto:/www.freebsd.org. 

The FreeBSD developer’s wiki: htto:/Awiki.freebsd.org/FreeBSDMarvell. 

The FreeBSD-ARM mail list: http-//ists.freebsd.org/mailman/istinfo/freebsd-arm. 
http://www. bsdcan.org/2008/schedule/attachments/49_2008_uboot_freebsd.pdf 

The description of the command line interface for U-Boot can be found here: http: 


/www.denx.de/wiki/view/DULG/UBootCommandLinelnterface. Note that this manual 


includes features not found in the SheevaPlug version of U-Boot. 
To setup a DHCP server on FreeBSD, see http:/www.freebsd.org/doc/en/books/ 


handbook/network-dhcp.html 


A combined serial port/SSH program for Windows is PuTTY: http:/,www.chiark.gree 


nend.org.uk/~sgtatham/putty/ 
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ence, however, that will quickly become 
apparent, is that the FreeBSD wiki is for 
the benefit of developers, not users, and 
contributions are from a more limited 
population. This is not a criticism, just an 
observation. It's unusual to find people 
that like both developing and writing 
about software, so the wiki is often 
out-of-date or incomplete. The mailing 
list, like most, is extremely helpful and 
friendly, so go there with questions (after 
you've tried to work it out for yourself, 
first, of course). See the Resources sec- 
tion for more details. 


Conclusion 

While FreeBSD doesn’t yet support 
as many hardware configurations as 
NetBSD, the developers are working 
hard to increase FreeBSD’s credentials 
in the embedded world. In both the 
server and desktop world, FreeBSD 
has a significantly larger installation 
base than NetBSD, so that could be a 
real advantage to developers looking 
to add particular hardware or software 
items to their embedded system. The 
NetBSD build and development envi- 
ronment is a little more advanced and 
can be used on a variety of operating 
systems (BSD’s, Linux, and Windows) 
while FreeBSD’s requires a FreeBSD 
system. Still, this is not much of a limi- 
tation and FreeBSD has a mature and 
easy-to-use build environment. All in all, 
FreeBSD is an excellent choice for an 
embedded operating system and |, for 
one, look forward to using it on more 
systems in the future. 

The SheevaPlug is an excellent ARM 
development system that you'll have a 
lot of fun with, particularly if you've not 
experienced FreeBSD on an embedded 
system. At present, there isn’t support 
for the SheevaPlug flash memory in 
FreeBSd, but | predict that by the time 
you read this, you'll be able to boot your 
SheevaPlug as easily with FreeBSD as 
you can now with Linux. 
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Email server in FreeBSD 


Configuring FreeBSD as a mail server with 
Postfix and Dovecot in FreeBSD 7.X 





Francisco Reyes 


This tutorial is a step by step guide on how to setup your own mail server using 
Postfix as the Mail Transfer Agent(MTA) and Dovecot as the IMAP server and as the 
authenticating agent for Postfix. These instructions were tested with FreeBSD 7.2 


n addition of Postfix and Dovecot we will also go over 

how to install Postgresql to store information that both 

Postfix and Dovecot will need to have simultaneous 

access to user information. Unless otherwise instructed all 
operations in this tutorial need to be performed as root. 

We will need to use the port system. If you are new to it 
check chapter 4 of the handbook. 


Process overview 
All programs in this artcile will be installed through the port 
system. The ports used for this article were Postgresql 8.4.0, 
Dovecot 1.2.4, Dovecot Sieve 1.2+0.1.12 and Postfix 2.6.3 

This tutorial installs all ports in batch mode, however if you like 
you can remove the patcH=yes and do the installs in interactive 
mode. Be aware that if you do the port install in interactive mode, 
any ports installed as dependencies will also be in interactive mode. 
The setup as described in this article uses virtual users So no users 
need to be created in the operating system to accept mail. 


Postgresql Port 

Because it is a dependency for both Dovecot and Postfix 
lets install Postgresq] first. If you already have Postgresal 
installed you can skip the port installation and only do the sal 
statements (see Listing 1). We need to create a database and 
the table. Create a file, mail.sql, with the following content (see 
Listing 2). 

We will then load the file into postgres. 


#psql -U pgsql -f mail.sgql postgres 


Dovecot Port 
To install this port we do as follows: see Listing 3. 

Edit /usr/local/etc/dovecot.conf OS follows: see Listing 4. 
Edit /usr/local/etc/dovecot-sql.conf aS follows: see Listing 


5. The directory /usr/local/share/examples/dovecot/ contains 
examples of both files with considerable amount of useful 
information including explanations for all the parameters on 
the lines in this tutorial. 

Create the log file for dovecot: 


#touch /var/log/dovecot-deliver.log 


#chown mailnull:mail /var/log/dovecot-deliver.log 


Postfix port 
We install postfix last because it depends on both postgresql 
and dovecot. 


#cd /usr/ports/mail/postfix 

#make WITH DOVECOT=yes WITH TLS=yes WITH PGSQL=yes WITH_ 
TEST=yes BATCH=yes install clean 

#rehash 


Disable sendmail,the default MTA, and enable postfix at startup 
by adding to your /etc/rc.conf 


sendmail enable="NOo" 

sendmail submit enable="No" 
sendmail outbound_enable="NOo" 
sendmail msp queue enable="NO" 


postiix enable="YES" 


Disable some sendmail specific daily maintenance by editing 
/etc/periodic.conf and placing the following 


daily clean: hoststat enable="NO" 
daily status mail rejects enable="NO" 
daily status include submit mailg="NO" 


daily submit. queuerun="NoO” 
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Configure Postfix as the system mailer. 
Edit /etc/mail/mailer.conf as follows: 
see Listing 6. The Postfix configuration 
file is /usr/local/etc/postfix/main.cf. 
Change the entire main.cf as follows (see 
Listing 7). You also need to edit the /usr/ 
local/etc/postfix/master.cf and add ad 
the bottom: see Listing 8. 

Create the directory where we will 
hold the mail and give it the proper rights. 


mkdir /usr/Mail/ 


chown mailnull:mail /usr/Mail/ 


As | stated on the main.ct note /usr/Mail 
can be replaced for whatever directory 
you want to use to hold your mail. 


Edit /usr/local/etc/postfix/virtual_ 
maps With your prefered editor and add 
users in the format 


postmaster@mydomain.com 


mydomain.com/postmaster/Maildir 


Convert the file into a database for faster 
lookup 


postmap /usr/local/etc/postfix/virtual _ 


maps 


For a fully documented main.cf see /usr/ 
local/libexec/postfix/main.cf. 

Before we can test our setup we need 
to populate the table passwd we created. 





Listing 1. Postgresql installation from ports 
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The value of the encrypted 

password is Pass2009 

As you need to create more users, if you 
dont have an easy way to generate a crypt 
value you can use hitp://Stringsutils.com 
Create a newalias file, kill sendmail, start 
postfix and dovecot. Could not start dove- 
cot before because it will be using the post- 
fix user which was not yet created when we 
finished creating the Dovecot port. 


#newaliases 

#/etc/rc.d/sendmail stop 

#rehash 
#/usr/local/etc/rce.d/dovecot start 


#postfix start 


Although the setup described in this ar 
ticle will not use the newalias file, Postfix 
looks for it. To test postfix is running: 


#cd /usr/ports/databases/postgresgql84-server 
#make BATCH=yes install clean telnet localhost 25 
#echo ‘postgresql enable="YES"' >> /fetc/rc.conf You should see a prompt 
#/usr/local/etc/rc.d/postgresql initdb Peving 127 20.0.1... 


#/UST/ loCal/eGEC/6rC.a/postoresg! start Connected to < your host name > 


Listing 2. SQL statements to load into Postgres 


CREATE USER mail password 'Pass2009'; 
CREATE DATABASE mail owner mail; 

\e manok 

CREATE TABLE passwd ( 


1d character varying (123) 


DEFAULT '': 


:character varying NOT NULL, 





Grypt Character varying (128) DEFAULT "":tcharacter varying NOT NULL, 
clear Character varying(1Z28) DEFAULT ""::character varying NOT NULL, 
name character varying(128) DEFAULT ''::character varying NOT NULL, 


uid integer DEFAULT 26 NOT NULL, 
gid integer DEFAULT 6 NOT NULL, 
home character varying (255) 


Natlchir character varying (255) 


defaultdelivery character varying(255) 


NOT NULL; 
Quote Character varying (2755) 


ne 


DEFAULT '*'; 


DEFAULT '! 


:character varying NOT NULL, 


DEFAULT "":schatracter varying NOT NULE, 


DEFAULT ''::character varying 


::character varying NOT NULL 


ALTER TABLE public.passwd OWNER TO mail; 


ALTER TABLE ONLY passwd 
ADD CONSTRAINT id PRIMARY KEY 


Listing 3. Dovecot installation from ports 


#cd /usr/ports/mail/dovecot 


(aay 


(make inecait With PesOn—ves WitHoul EeVo—yes BATCH —ves 


#echo 'dovecot enable="YES"' >> /fetc/rc.conf 


#cd /usr/ports/mail/dovecot-sieve 
#make install BATCH=yes 


#make clean 


www.bsdmag.org 


Pa] 8, 


Escape character is 
Use CTRL+], the type quit 


Testing your setup 
If you already have an IMAP client you 
can connect to your newly configured 
dovecot server using the test user 
Remember that when login in you need 
use the fully qualified user name such 
as  postmaster@mydomain.com. Also 
remember that you will need to use SMTP 
authentication to send mail through your 
server 

If you don't have an IMAP client there 
is a text based mail client, called cone, 
in the ports system which you can use 
for your test. You can install cone in the 
same server where you have intalled 
dovecot or on a different machine 
as long as it can connect to the 
dovecot IMAP server. Cone has several 
depencencies (gnupg, curl) and it takes 
quite a bit to compile so if you have a 
mail client installed it is best to use 
whatever you already have installed. 


Installing Cone 


#cd /usr/ports/mail/cone 


#make install clean 


For the rest of the test you do not need to 
be the root superuser. 


65 





@ how-to's 


66 








Listing 4. Dovecot configuration file 


## Dovecot configuration file 
# If you're in a hurry, see http://wiki.dovecot.org/ 


Oui CRCONNGULaLION 


protocols = imap pop3 


diceab le: platter: aun — 10 


Shurdowmec LleiESs <a Ves 
so no 
Login PEOCeSs Ss. size" — (6c 


mail Location = maildir:/usr/Mail/od/ on/Maildir 


mail privileged group = mail 


7 Rely On OUEXCL GO work when Creating Ooelock tiles. 
NES SUDPOLTS O EXCH 
# since version 3, so this should be safe to use 


nowadays by default. 
Gor lock useso“c = iyee 
VeErDOSe PrOCEl Ele. — ves 


26 
26 


Piece eaves cle uc 


Haisie) wand usd 


Mess vel gtee — 6 
Heise vicdiud quid — G6 


matlcir copy wen iWaccilnnke, — ves 


## IMAP specific settings 


PEOLOCOl imap { 
imap Civenu workarounds — delay-newmaii neescape—eon 
tbh-extra-mailbox-sep 


} 
J 


## POP3 specific settings 
PrOLoOcol, pops. 4 
pops urd format. = ~Oexu.03exy, 


Pops Client workarounds — our look—-ne-nu ls oe—-1s [eon 


## LDA specific settings 


prococel) ida’ 4 


# Address to use when sending rejection mails. 


POStMaster address — postmaster example. com 
Mea plugins = — sieve 

sendmail path = /usr/sbin/sendmail 

log _ path = /var/log/dovecot-deliver.log 
info log path = /var/log/dovecot-deliver.log 


ss 


# Log unsuccessful authentication attempts and the 


reasons why they failed. 


aie a verbose = ime 


# Even more verbose logging for debugging purposes. 
Shows for example SQL 


# queries. 

suis iy Cle Dug) =o 116) 

# In case of password mismatches, log the passwords and 
used scheme so the 

# problem can be debugged. Enabling this also enables 
euEh Oebug,. 


auch debug passwords = no 


auth default { 


mechanisms = plain 
pascsab sql 4 
args = /usr/local/etc/dovecot-sql.conf 


userdb passwd { 


args = blocking=yes 


userdb sql { 


args = /usr/local/etc/dovecot-sql.conf 


user = root 


socket listen { 


master { 
path = /var/run/dovecot/auth-master 
mode = 0660 


EL SS sae — ee eal orange 


group = mail 


client { 
path = /var/run/dovecot/auth-client 
mode = 0660 
user = postfix 


group = mail 


#quota = mysql:/usr/local/etc/dovecot-—dict-quota.conf 
#expire = db:/var/db/dovecot/expire.db 


## Plugin settings 
plugin 4 


\ 
J 
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Start the cone program by typing 
‘cone’ from the command prompt. 
Hit MW’ for the main menu. 

Select ’'N’ for new account. 

Select '? for IMAP 

Type a descriptive name for the ac- 
count name. 

Type IP or DNS name of the machine 
in the Server field. Add /novalidate- 
cert at end. Needed since cone looks 
for SSL by defaultEnter username 
including domain in the Login field 
Enter password in Password field. 
Select Inbox folder. 


Once you are able to connect to the 
IMAP server with your own client or with 


On the ‘Net 


Dovecot site: http://dovecot.org/ 
Postfix web site: htto:/www.postfix.org/ 
Postgresq| site: 
http:/www.postgresg!.org/ 

Cone web site: http://www. 
courier-mta.org/cone/ 


Listing 5. Dovecot SQL configuration file 


driver = pgsql 

connect = host=localhost 
dbname=mail user=mail 
password=Pass2009 

derowle tps  seheme — Ch vel 
pessword query = SELEG! cCrype 
password FROM passwd WHERE id = 
User query — SsHlacl home, urd, gid 


FROM passwd WHERE id = 'S%u' 


Listing 6. Mailer.conf for Postfix 


# 

# Execute the Postfix sendmail 
program, named /usr/local/sbin/ 
sendmail 
# 
sendmail jase locally) sein 
sendmail 
send-mail juse/ Locall/sbin/ 
sendmail 
mailg Jase) Locally sbiny/ 
sendmail 
newaliases Jase) local sein 


sendmail 





eo 
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Listing 7. Postfix configuration file 


queue directory = /var/spool/posttfix 


command directory = /usr/local/sbin 
daemon di recrory — 
Hiei ekinicee row yy — 
manpage directory = /usr/local/man 
Sample cdireceony: .— 
readied! recEory — 
sendmarl pari — 
Neweliases arene — 
Mall path —i/ ist, Locally buny/ mar iG 
data directory = /var/db/posttfix 
debug epeen Level 


debugger command = 


id & sleep 5 
Sergi d group — Mertlarop 
Mea sOwmer — posriix 
myorigin = Smyhostname 


relay domains = $mydestination 


MVNCEWOLCS Ss Lyle = host 


mydestination = localhost, 
#/usr/Mail arbitrarily chosen. 
VOur Choice. 

jus / Maal 


Walie eis) wilshiilelep< lelets, =) — 


VWiktue ll Ewanspone —— dovecor 


placed 


fOr virtual mailbox Maps 


ViseiUel meitbox Maps = 
ViEeuel maps 

vilelUal UIC Mapss— Statice; 26 
VWikeuel seule Maps = Stauwe, 6 
Message ste ime p—20250000 
Pounce queue liretime —) 2h 
smepa delay Tejecr — ves 


SmEpe Nelo required — ves 





/usr/local/libexec/postfix 
/usr/local/share/doc/postfix 


/usr/local/etc/postfix 
/usr/local/share/doc/postfix 


(use) eee) sbiny sendmail! 


Jose) local /pim/ iewaliases 


PATH=/ bam / list) bal) mse) loe@ale/panis, ast) Kida 6 / loam 


ddd $daemon directory/Sprocess name $process_ 


local recip ene Maps = viene mat lbox maps 


Lin kM@ win eat aly ise Ca pee miE ae yee meodes — 


localhost.Smydomain 


PICck a dilneceory oF 


dOvVecOE deSsEiMigr lon recipient limites 


(Mule ple domains Lor Virtual mailbox domains Can be 


# comma separatedor use a file like I show you below 


Viketue mei tbox domains = mydomain. com 


SiLpa Sender resin ierlons — 


permit _mynetworks 


Permit sasl) avirhenetecabed 


rejJeer Mon Eqdm sender 


reject unknown sender domain 
reject 
SmMEDC EecapIlene Lester uecrions — 


permit _mynetworks 


Pe oie toac T aub hemi aed 


LeVJeCCeE MUMavEn Pp Lpel ining 


reece invalid Nostmame 


EeVeee Mem eqcm ems cup ie im: 


EeeCe Unknown Beverse client mostmame 


revece unknown rectplente domain 


KEJCCE UNauEn destinarton 


Sia ge Lvenity Lest mler Ven a — 


permit mynetworks 


Pete (sacl aurhentiicaped 


0 
HTP ET 


SMEpa sas auEn enable = 


SsmEpa sash bype = 
SmEpa sasl path = 


Siepd sas] ssc CUruEy ODEON Ss — 


a 


SAS ie nena ah enin@ Tn 


DEOKensas ave eltenes= — 


reJeer Minauri pipelining 


HHtEF 

yes 

yes 

dovecot 
/var/run/dovecot/auth-client 


noanonymous 


Listing 8. Postfix changes to master.cf 


# Dovecot LDA 


dovecot unix - 


n n = = pipe 


flags=DRhu user=mailnull:mail argv=/usr/ 


liceal) libexec/dovecor/deliver —£ S{sender}  —a 


${user}@S${nexthop 


hash;/usr/ llocal/etc/postnx/ 


—-n -m S{extension} 


Listing 9. Adding a user to the database for mail 


#psgi -U pgsgi mail 


insert into passwd 


values 


(id, crypt, home) 


("‘postmaster@mydomain.com', 'S1SivtiEVV9SkpnG/ 


pBBWm6wNJ.Pe7qgr1','/usr/Mail/mydomain.com/ 


postmaster'); 





cone you then need to try sending an 
email to it. If the machine is the machine 
responsible for handling email for the 
given domain (ie. DNS MX _ records 
point to it) you can send an email 
to your test user from any machine. 
lf the IMAP server doesnt yet has MX 
records pointing to it, you can still test 
your setup by setting the machine you 
configured as your Cyrus server as the 


SMIP server. If using cone from the same 
machine you don’t need to do anything 
extra. Just write an email and send it to 
your test user By default cone will use 
the current machine as the delivery SMTP 
server. 


Additional notes 


The way we configured postgresql for 
this tutorial allows any user to connect 
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to the server You need to edit your 
pg_hba.conf to make it secure. See 
http://www.postgresgl.org/docs/8.4/ 
interactive/auth-pg-hba-conf html. 

The sieve plugin we installed allows 
you to setup filtering at the imap level. 
See http://wiki.dovecot.org/LDA/Sieve for 
instructions on how to use sive. 
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Monitoring OpenBSD with 


symon 





Matthias Pfeifer 


Once you have your OpenBSD Server running, you might want to monitor your 
machine. There are several ways to do this and there is a large amount of tools you 


could use for it. 


ne of these tools | will show you in this how-to article 

is symon. Symon is very easy to install and, once the 

setup is done, it will provide useful status information 

of your system. One of the greatest benefit is the 
graphical presentation and its very simple configuration. 
Because of the design of symon, you can use symon in a large 
network environment also. And of course, symon will work on alll 
other BSD’s too. Our symon setup comes in two parts: symon 
and syweb. The symon package contains symon and symux, 
which are used to collect and prepare the collected information. 
Syweb is used to display the collected data. 


Note 
Syweb needs PHP. So make sure that you have PHP installed. 


Installing symon 

On OpenBSD, we are in luck, because there are symon and 
syweb packages available (make sure that your PKG_PATH 
variable is set (for e.g. export PKG_PATH=ftp://ftp.openbsd.org/ 
pub/OpenBSD/4.5/packages/i386/). Then you can just type 
pkg_add symon in your console. For the further configuration it is 
better to have syweb already installed: (see Listing 2). 


Configuring symon 

| will show you a small symon setup here, so we do not change 
any paths for syweb here. The following configuraion is very easy 
to extend. See the manpages of symon and symux (man symon, 
man symux). We start our configuration with the following files: 


/etc/symon.conf 


/etc/symux.conf 


For the beginning, we want monitor just the first CPU (cpu(0)) 
and the RAM (mem) (Look at the Data formats section in the 


symon manpage for more monitoring targets). Ok, let's start 
and add this to /etc/symon. conf 


monitor 

{ 
cpu (0), 
mem 


} stream to 127.0.0.1 2100 


As you can see, we will stream the collected data to localhost. 
However, you can stream these data to another monitoring 
station. Just enter the machines IP here. 

Now, add the following lines to /etc/symux.conf 
Listing 3). 

The source section is set for every host which should be 
monitored. The source section in symux.conf IS similar to the 
monitor section in symon.conf 


(see 





Listing 1. Installing symon 


# pkg add symon 

libart=2.3.2000> complete 
rrdzool-1.2.30: conplere 
symon-2.78: complete 

ees ITNT ya rn eect 

Example configurations for both symon and symux have 
been installed 

in /usr/local/share/examples/symon. 
RRD files can be obtained by running 
Just] local/share/symon/c smrrds.shi 

Read the LEGACY section of symux(8) for information 


about 


migrating RRDs from a previous symux version. 
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Next, we need the datadir directory Note 


for our data: 


Each source section need its own datadir! 
Symon ships with some useful shell 


much easier. You can found the scripts in 
/usr/local/share/symon/. 


One of the shipped scripts is used to 





mkdir /var/www/symon/rrds/localhost scripts which makes the configuration generate the needed rrd files. We need 


Listing 2. Installing syweb 


# pkg add syweb 

syweb-0.55pl1: complete 

Bey RUT OO) at eh ae 

syweb's default install assumes that: 
—- apache is chrooted at /var/www 


se aaele © Omens menietl Ste cil le Clee nie neu GlniR@ One 


— symux rrd files are kept in /var/www/symon/rrds/HOST/*.rrd 


rrdtool can be ianstalled im cEhe Chroot using 


/Var/ wun] Symon/ install readrool sh 


Customise /var/www/htdocs/syweb/setup.inc if these assumptions are 


LING @natae Clee 


Listing 3. Configuring /etc/symux.conf 


mo I27,0,.0,1 2100 
source 1270202 1 


1 
Il 


to create two rrd files for our monitoring 
objects (cpu(O) and mem) (Listing 4). 

Now, it’s time to start and check the 
services: 


# /usr/local/libexec/symux 


# /usr/local/libexec/symon 


When you check the services, you should 
get an output similar to the following: see 
Listing 5. 


Note 

Be sure that you start symux at the first. 
Otherwise symon will not provide any 
data to symux. 

In most cases, we wantto start services 
at boot time. So we add the following lines 
tO /etc/rc. local (see Listing 6). 

Now we have symon and symux 
running. That is fine but not really useful 
for us because we like a_ graphical 


accept presentation of our system statistics. 

{ If you are running apache chrooted 
cpu (0), in a default setup, all you need is to 
mem point your browser to http://localhost/ 


\ 
J 


datadir "/var/www/symon/rrds/localhost" 


Listing 4. Creating rrd files 


syweb/. lf you have some other individual 
configurations, you should adjust your 
configuration (for e.g. symlink the syweb 
directory into a appropriate location and 
configure a virtual host). 


/ist/ local/sihare/symon/c smrrds.sh /var/www/ symon/ rrds/ localhost/cpu0.rrd Caveat 


/usr/local/share/symon/c smrrds.sh /var/www/symon/rrds/localhost/mem.rrd 


Listing 5. Checking processes 


# ps -waux | grep sym 

LOGE 25000 070-020 be L020 eis 6:13PM 
local/libexec/symux 

_symon 5864" 020" 020 308 844 ?? Ss 6:19PM 


local/libexec/symon 


Listing 6. Staring services at boot time 


if [| -x /usr/local/libexec/symux |]; then 
echo, =m" “Ssymux; 
/usr/local/libexec/symux 

fi 

if [ -x /usr/local/libexec/symon ]; then 

echo =n " Symon"; 

/usr/local/libexec/symon 


fi 


O00 700 9 wei: 


There a one well known issue, when symon 
Starts. It could happen that you receive the 
following message in your logs: 


symux: could not get a semaphore 


O- 00,02 /usir/ 


We need to do a little sysctl tuning 
(The values are just a advise. Feel free 
and figure out the best setup for your 
environment). 


sysctl -w kern.seminfo.semmni=256 


sysctl -w kern.seminfo.semmns=1024 


To setup these sysctl values, add the 
following lines to /etc/sysctl.conf 


kern.seminfo.semmni=256 


kern.seminfo.semmns=1024 


Visit htto:/Awwwxs4all.nl/ wod/symon/ 
index.html vor additional information. 
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BSD as the Platform 





for Operationalizing Organizational 
Flexability via a Data Concourse 





Richard C. Batka 


A major change is about to take place in large organizations worldwide and BSD is 


positioned perfectly to play a starring role. 


ong known for its rock solid stability and reliability in 

the airline and banking industries, BSD will be used 

by organizations to build information interchanges. 

Building on a reliable BSD infrastructure will be the key 
to operationalzing flexibility and the future standard platform 
for Operationally Aware Vector Adjusting Application (OAVAA) 
environments. 

To meet increased market demand for products and 
services, large organizations today rely on a complex web of 
interconnected business relationships with partners, vendors, 
and suppliers. When unexpected delays occur it creates 
chaos. 

These problems are addressed by creating custom 
process (called one off exception processing) and as all of 
you know from your administration/infrastructure experience, 
anytime you implement sudden/drastic changes throughout 
the operational ecosystem you consume valuable resource 
cycles which inevitably prevent operational flexibility. 

We are constantly seeking better returns on our technology 
expenditures (investment) and we are always looking for 
ways to optimize current service/delivery capability based 
on new or improved business process (by attempting to 
integrate information from multiple functional areas within the 
organization) and for the most part, this is a process that takes 
time, requires multiple approvals and numerous man hours 
to complete and speed to completion is always an issue. 
Typically these services are built on service platforms that 
span the organization. 


Fact 

Over 70 percent of organizations that have invested in 
enterprise systems have not received the promised benefit 
on schedule (or) have invested more money than originally 
anticipated. 


BSD in the Enterprise 
Imagine if you will a BSD based data concourse service that 
enables organizations to achieve a high level of flexibility and 
the ability to quickly integrate change at an enterprise wide level. 
This can be achieved by effective communication through an 
information interchange specifically built on the BSD platform, 
designed to support the automatic, cross boundary capability 
to create, change, and modify processes. 

lts a movement that’s building momentum today and 
its something you need to prepare for in the next 18-24 
months. Thousands of organizations worldwide will build 
out this new capability and quickly discover that they have a 
distinct market advantage. 


BSD has the Flexability 


To provide a reliable infrastructure for applications that are 
data concourse service aware and ready to facilitate opera- 
tions among vendors, customers, and suppliers by aggregat- 
ing discreet data elements, structuring it as information, and 
providing push up reports with wide visibility. 

This new environment will also allow firms to achieve 
economies of scale upon the creation of a data concourse 
service that provides clients and their partners the use of 
standardized operational applications connecting to standard- 
ized business management applications which will have the 
Support functions to enact real time process change at an 
operational level. 

The goal is to enable effective, real time information 
interchange by creation of a data concourse service which 
will promote the aggregation of data from internal and 
external sources, correlate it, and then make it available 
for immediate automated process/rule creation or further 
analysis. Additionally, it dose something that has never 
successfully been achieved before at the enterprise level: 
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connect operational applications and 
business management applications. 


Creating these Connections 

is the key to Organizational 
Flexability and Ultimately 
Compeditive Advantage 

Through effective information interchange 
(and the associated automatic rule/ 
process creation that results) between 
organizational _ levels/business 
within the organization, organizations 
will be able to achieve something 


never thought possible — automatically - 


creating process connections between 
strategy and operations, so that changes 
are automatically incorporated on either 
side. To achieve this, an organization 


must have the proper combination of - 
BSD based infrastructure, event aware - 


applications, and flexibility. 


What is BSD Based Information 
Interchange? 
Information interchange enables a 
clear separation of duties between 
applications that support standard 
operations and those applications that 
require flexibility to handle changes. 
BSD is platform of choice to support the 
next generation of aware applications 
that allow for the successful resolution 
of semantic differences between 
unstructured and structured data in use 
by applications today. 

| call the next generation 
applications: Operationally Aware Vector 
Adjusting Applications (OAVAA). These 
applications will provide organizational 
leadership with whats been lacking 


units: 


today, namely real-time shared visibility 
in aid of effective decision making and 
ability to automatically react to deltas 
discovered between operational and 
business management applications 
upon synchronization. These interchange 
features provide the balance needed for 
enterprise flexibility. 
The elements to this approach are: 


Enterprise based, process enabled, 
operational & business management 
applications 

Information interchange (based on 
a robust BSD environment) which 
facilitates the connection between 
areas (example: operations and 
business) 

Audit trail capability 

Multi-site deployment capability with 
failover & backup capability 
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Straight forward licensing model 


Operational applications designed for 
efficiency are insulated from needing to be 
changed frequently. Business management 
applications are flexible and easier to 
change; they support collaboration, 
analysis, and decision support so to 
achieve flexibility, the enterprise must have 
the proper combination of hard and fast 
business rules and openness to change. 


Flexability? 

All enterprises want to be flexible. They 
want the ability to change with current 
market conditions however many confuse 
flexibility with speed to market. They find 
themselves failing because of the inability 
to make changes related to those current 
market conditions. Meanwhile, others are 
so intent on effectiveness that they throw 
a blind eye to market conditions. 


It's a Moving Target 

All companies have strategy and all 
companies have operations. Prevailing 
wisdom would say that changes in the 
marketplace should lead to changes 
in strategy and operations — but this is 
never the case. 


Fact 

Seven of eight large enterprises failed to 
meet self imposed growth (profitability) 
targets. 


Fact 

More than 95 percent of employees are 
unaware of or do not understand their 
enterprise strategy. 
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Self-evident Disconnect 

Strategy and operations are not 
communicating effectively. Strategy 
prepares for the future and chases flexibility, 
but operations are rigid and designed to 
be consistent. Strategy requires extreme 
flexibility in making choices and changes 
frequently, while operations are complicated 
and take time and money to change. There 


is a disconnect between strategy and - 


operations. The disconnect is the roadblock 
— Why? Because changes in strategy are 
not reflected in operations fast enough. 

Overthe years organizations have spent 
millions of dollars trying to synchronize the 
two — by investing in enterprise resource 
planning (ERP), operational support 
systems, decision support systems, 
performance management tools, analytics, 
and dashboards. Talk to an executive on 
the golf course about these systems — They 
will be happy to share tales of frustration 
regarding massive integration contracts, 
mediocre results, and uncomfortable 
silences during board meetings. For real 
excitement, try asking a front line manager 
“after* they spent all week in training on 
these systems? 


Fact 

Employees at every level of the enterprise 
spend the majority of their day finding 
information, without consideration (or) 
time to care for what it means. 


In the Mean Time 
While the applications play catch up, we 
can prepare by spending our energy 


building an_ information 
Most applications will adapt but for the 


ones that don't, we can offer access : 


to the interchange. The Information 
interchange will play two key roles: 


tions can share and integrate infor- 
mation in a plug-and-play manner. 
Operationalize the connection 


between strategy and operations so - 


that respective applications are able 
to stay in sync. 


This is operationalizing flexibility. 


Warning 

Many of today’s applications in the 
operational space play to key a roll in 
saying no, your organization cant afford 
to make that change, because the 
created financial projection says you 
can't afford to change the application. 


Alternative Flexability 

Externally to the organization you 
should accept that change happens 
so look to build solutions such as 
information interchanges that offer 
services to the strategy and operations 
groups within the organization through 
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interchange. - 


Manage the semantics so applica- - 


the creation of a dedicated BSD based 
data concourse service infrastructure. 

BSD is a stable platform to build 
any type of transactional processing 
system. Handle changes in a _ data 
concourse layer that resides between 
business applications and operational 
applications. Keep in mind that changes 
occur all over the enterprise: product 
development, sales, customer support, 
IT, marketing, and all other functions in an 
enterprise that operate in an environment 
of increasing change. 


Historicaly Speaking: 

Strategy and Operations Differ 
in Key Ways 

Processes closer to strategy are semi 
structured and constructed on the fly. 
Processes in operations are clearly 
defined. The processes that live closer 
to strategy use structured and unstruc- 
tured inputs, whereas operations rest on 
structured data supplied by reliable data 
Sources. 


Questions to Ask 


What processes exist today that 
touch both strategy and operations? 
How does your organization tell the 
difference between structured pro- 
cess and a semi-structured process 
requests? 

Is the leadership team able to see 
change coming based on top level 
reports produced by the organiza- 
tion? 

Can front line managers make 
changes to operations easily? 


Take for example enterprise dashboards 
that monitor a myriad of organizational 
performance metrics. They provide 
valuable information to the people 
that need to know. However, do you 
have access to the systems required 
to modify (change) activities without 
disruption to the enterprise? Probably 
not. 


Case Study: 

BSD Network Management 
Tools 

The majority of tools in use today 
deploy some type of agent to the end 
node (let's call that a type of business 
management application) which is done 
to accept or decline patches and code 


drops to the end node -— a type shielded 
information interchange that exists 
between the management node, patch 
server, reporting server, and end node. If 
we scale this architecture to the larger 
business functions of the organization 
for the singular purpose of increased 
flexibility, we will see that we can make 
changes to operational process and 
implement them with minimal disruption. 


Case Study: 

BSD Security Patches 

Applying security patches to your 
BSD environment is an important part 
of maintaining computer software, 
especially the operating system. For the 
longest time on FreeBSD, for example, 
this process was not an easy one. 
Patches had to be applied to the source 
code, the code rebuilt into binaries, and 
then the binaries had to be re-installed. 
Today you can use a utility called 
freebsd-update. This is an example of 
a service that can be offered at the 
information interchange through the 
data concourse service. 

This utility provides two separate 
functions. First, it allows for binary 
security and errata updates to be 
applied to the FreeBSD base system 


without disruption (the build and 
install requirements). Secondly, the 
utility Supports minor and major - 


release upgrades (again with minimal 
disruption.) 


Tip 

Use the cvSup command to obtain and 
update FreeBSD sources. To use it, you 
will need to install a port or package 
like net/cvsup-without-gui. If you are 
using FreeBSD 6.2-RELEASE or later, 
you may wish to substitute this with 
csup(1), which is now part of the base 
system. 


References 


The FreeBSD Project 
www.freebsd.org 

OpenBSD www.openbsd.org 
NetBSD www.netbsd.org 
DragonFly BSD 
www.dragonflybsd.org 

www. lnterview Tomorrow.com 
Operational Tempo BBS: telnet: 
//operationaltempo.com 
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Implementation 

You know that’ organizations are 
inherently resistant to change so your 
level of success will be determined 
in large part by your approach. A well 
thought out plan is required. Take the 
following implementation approach 
for organizations with up to 30,000 
employees. 


Pilot 1-500 people 

ROI (checkpoint) 

Larger Group 

ROI (checkpoint) 15,000 people 
Organization Wide 

ROI (checkpoint) 30,000 people 


Conclusion 

Business is constantly experimenting 
with new strategies to take advantage 
of change while minimizing its disruptive 
effects. The business environment will 
always be changing and you have the 
Opportunity to build new environments 
in Support of operationalizing flexibility by 
creating real time, adaptive connections 
between business units. 

This new approach goes beyond 
simple Enterprise Application Integration 
EAI, Service Platforms, and Business 
Process Management. Its a call for a 
complete rethinking of the connections 
that exist between and within every core 
group within the organization. Any link 
that exists between two or more critical 
business functions is fair game for this 
new thinking. 

Enterprises that can _ leverage 
applications to create a balance between 
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standardization and flexibility (and then 
operationalize flexibility) will have a unique 
competitive advantage which will allow 
them to dominate in the marketplace. 
This is clearly an opportunity for you to be 
on the forefront of this seismic shift that is 
about to take place while unleashing the 
true power of BSD. If you help establish 
these architectures; the ones that help 
organizations make this transformation 
smoothly will most definitely benefit at 
promotion/bonus time. 
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Living The 


PC-BSD 








James T. Nixon III 





Lifestyle 


Some people are Mac, some are Windows, | am PC-BSD. PC-BSD is more than an 


operating system, It's a lifestyle. 


itting next to my 4/7” Westinghouse LCD TV is the 

iXsystems Apollo Workstation. This workstation 

is powered by the 5500 series of the Intel Xeon 

processor, an Asus GeForce 9800 GT video card, 
and 4 gigs of RAM. It came with PC-BSD Galileo Edition (7.1) 
pre-installed and a handful of applications that immediately 
increased my quality of life tenfold. Using free software 
instead of spending hundreds, or even thousands of dollars 
on commercial software is great, especially because | enjoy 
dabbling in Photoshop, FL Studio, Sony Music Studio, as well 
as playing games such as Left 4 Dead, Half-Life 2, and Eve 
Online. 

First things first, can | play my favorite games? The answer 
(for me) is absolutely! | am a huge fan of Valve and their 
Steam client because | tend to scratch or lose CD’s. | created 
my Steam account in 2004 when | purchased Half-Life 2, 
although | never finished the game because my computer 
could not handle it. 45 minute loading screens do not work 
for me... SO, | forgot about Valve for a while and moved on to 
other hobbies, namely music and web design. When | was 
away from my drumset, | was on my PC hacking away at 
local band websites, doing photomanipulation in Photoshop, 
or creating Classic Nintendo remixes in Sony Music Studio 
(formerly Acid Pro). | was also dual-booting random Linux 
distros (with much displeasure), because | got tired of the 
constant degredation of performance on my Windows box. 
| found that | couldn't enjoy most of my computer related 
hobbies on Linux, and worse yet, most of the websites | was 
developing or visiting didn’t work or look the same. So | forgot 
about Linux for awhile, too. 

Enter PC-BSD, one desktop to rule them all! The PC-BSD 
operating system truly changed my life. No more Windows, 
no more Linux, and all (okay most) of my hobbies intact. | 
replaced Photoshop with GIMP Sony Music Studio with Ardour, 


and Dreamweaver with Bluefish. The transition from Windows 
to PC-BSD was fairly easy. Adapting to a new collection of 
programs and bugs was the 

hardest part, but didn’t stop me from pursuing a Windowless 
lifestyle. | am not against commercial software, | just prefer to 
spend money on open source software, hardware, and video 
games. This is where Valve comes back into the picture. 


PC-BSD is for Gamers 


One lazy afternoon, | was bored and thought I’d download 
the Steam client from steampowered.com and _ install it 
on PC-BSD. PC-BSD comes with Wine, so Steam installed 
without any problems. When | opened Steam and entered 
my account details, all the games | purchased in 2004 were 
waiting for me to install. | was feeling pretty lucky at this 
point, so | chose to install Half-Life 2 first. An hour or so later 
| launched Half-Life 2. There was only one problem, sound 
did not work. | was a little sad, but | turned captioning on 
and played for a minute, saved, loaded, and then quit. After 
a minute of searching on winehq.org | found out that all | 
needed to do was set the sound acceleration in winecfg to 
Emulation. 

After doing that, | launched Half-Life 2 again. This time 
sound worked perfectly. Amazed at how beautiful the game 
looked, | pressed my luck and maxed out the graphic settings 
to include full bloom and reflection. Victory! To see what the FPS 
was, | opened the developer console and typed ’cl_showfps 1’ 
and the result was a steady 300 frames per second. Simply 
amazing. After playing Half-Life 2 for a few hours | hopped 
on Deathmatch and CounterStrike: Source. Both worked 
flawlessly. Pretty pleased with Valve at this point, | went to hitp: 
//store.steampowered.com and purchased Left 4 Dead which 
also worked flawlessly on PC-BSD. The next Steam game | 
tried was Overlord Il, which didn’t work at all, but Assassin’s 
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Creed from Ubisoft played wonderfully. 
In the end, 4 of the 5 games | tested 
ended up playing better on my PC-BSD 
machine than any Windows box | have 
ever owned. 


PC-BSD is for Music Lovers 

Life is not all fun and games. You need 
to mix things up with music too. There 
are many choices for audio players on 
PC-BSD. My personal choice is Amarok. 
Amarok has an easy to use and intuitive 
interface and comes with great features 
like displaying lyrics, downloading album 
art, and connecting to yourLastfm account, 
just to name a few. If you have a Last.fm 
account, you will also enjoy the Last.fm 
PBI on pbidircom. The Last.fm application 
is an easy to use radio alternative. | tend to 
use it at work when | get bored of my local 
collection. Another great alternative to 
the traditional FM radio is i, 
Pandora.com, and it too 4 
works flawlessly on PC- 
BSD. 






Pandora allows you to create a 
radio station based on your personal 
tastes. As you give songs a thumbs 
up or thumbs down, Pandora takes 
into account several attributes and 
plays similar songs. For example, 
the acoustic version of Creep by 

Radiohead has pop rock qualities, 

acoustic sonority, repetitive melodic 

phrasing, major key tonality, and a 

dynamic male vocalist. Mix this 

with say, Cannibal Corpse, and 
youll have a unique blend of 
music in constant rotation. After 
listening to music for awhile | 
tend to get the musician’s itch. If 

this happens and | don't have a 

band to jam with, | open up Ardour 
and start recording, editing, and mixing 
my own music. Ardour is very similar to 
Cubase, Nuendo, Adobe Audition, etc... 
But like any program, it has its quirks. 
After a few hours of use you'll feel right 
at home. Ardour does multichannel 
recording, non-linear, non- destructive 
region based editing with unlimited 
undo and redo capabilities. It also 
features full automation support, an 
amazing mixer, and plenty of plugins to 
tweak and shape sound to your heart's 
content. I’ve had it crash a few times, but 
| found that turning off auto-crossfade 
solved this problem. In the near future | 
am going to set up a completely open 
source recording studio for my fellow 
musical geeks and | to create “open 
music” for the masses. 


PC-BSD is for Movie Buffs 
PC-BSD has several applications 
for playing DVDs. | chose Xine. Xine 
can play CDs, DVDs, and VCDs. It 
will also decode AVIs, MOVs, WMVs, 

and MP8s from your local collection, 
as well as play multimedia streamed 
from the net. If I’m not watching a DVD in 

Xine, I'm using Miro as my open source 

alternative to DVR and Cable television. 

| ditched paying for cable over a year 
ago. Using Miro made this possible. 
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| have all my favorite television shows 
auto-download as they are released 
using various RSS torrent feeds. Miro 
can play most video files and offers 
over 6,000 free internet TV shows 
and video podcasts. Watching Lost in 
HD on my 1080p 4/7” television is a 
wonderful experience. Occasionally, 
| want to watch a TV show instantly. 
That's when | go to Hulu.com. Hulu.com 
is an amazing site that streams HD 
television shows and movies over the 
internet using Flash. All of this is done 
while | am lounging on my couch using 
a wireless mouse and keyboard on my 
coffee table. And if watching movies 
isn't enough, editing video is a snap 
with Kdenlive. Kdenlive is a non-linear 
video editor for PC-BSD that is designed 
for basic or semi-professional video 
editing. It supports DV, AVCHD (which 
is considered experimental), and HDV 
editing. There are other video editors 
out there, but Kdenlive was the easiest 
to get the job done. 


PC-BSD is for Everyone! 

Whether youre a gamer music 
connoisseur, movie enthusiast, or all of 
those, PC-BSD is the operating system 
for you. For more information or to 
download PC-BSD, visit htto://ocbsd.org. 
To download PC-BSD software, visit http: 
//pbidircom. 
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Tips and tricks 


Com = =6©6SCté‘ié=éCy Dru Lavigne 


n this issue of BSD Tips and Tricks, 
readers share some of their favourite 
tios for solving problems and saving 
time. 





Denny White of OpenBSD101 has sev- 
eral tips available at htto://polarwave.op 
enbsd101.com. One of his favourite tricks 
shows how to keep the /nome partition 
intact during an in-place upgrade. 

NOTE: Before any upgrade, always 
backup your data first, just in case! 

The gist of this trick as that you tell 
disklabel to ignore the /home partition so 
it is not reformatted during the upgrade. 
To do this, go through the normal install 
routine until you get to the disklabel sec- 
tion. If you accept the defaults for each 
partition, your screen will look something 
like the output in Figure 1. 

Note that the default is to press enter 
for each partition, meaning each partition 
will be formatted. Instead, you want to type 
in the word none when you get to the /home 
partition so it looks like Figure 2 instead. 

You can then continue through the 
installation as usual. 

Once the installation is complete, the 
upgraded system won't be aware that 
you have an existing /home partition that 
you would like to mount at boot time. You 
can fix this by editing /etc/fstab to re-add 
yOUr /home partition. 


Jan Schaumann of netmeisterorg offers 
the following tip. To let the shell figure out 
where the package to install is, type: 


cd /usr/pkgsrc/*/package 


This logic works on any system. Figure 
3 shows example output from a PC-BSD 
system. In this example, | wanted to cd to 
the build directory for firefox and the shell 
figured out for me that it was a subdirec- 
tory of /usr/ports/www. | then wanted to 
cd to the build directory for gimp, and the 
shell figured out it was a subdirectory of 
jusr/ports/qraphics. 








Instructing disklabel to Ignore /nome 











@ 1 <2> 


File Edit View Scrollback Bookmarks Settings Help 


[root@pcbsd] /root(105)4 cad 
[root@pcbsd] fusr/ports/wew/firefox(106)#% ca /usr/ports/*/gimp 
Me lt eee ele eee ee ee 3 ii 


fusr/ports/*/ firefox 











cd to Unknown Directory 


1 <2> () (A) 


File Edit View Scrollback Bookmarks Settings Help 
Galt le hE eee ea) 

a aah fa 

[rootg@pcbsd)/root(111)# cd '$ 

a a 

[rootgpcbsd] /fusr/home(1l1l2)F i 
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Adding Notification of 

RAID Status to Daily Output 
Charles Sprickman of NYCBUG has a 
Shell script he added to /usr/local/etc/ 
periodic/daily to put RAID status in his 
daily emails: see Listing 1. 


1$ Substitution 

Francisco Reyes of NYCBUG reminds us 
how handy !$ can be. Figure 4 shows an 
example usage. In this example, the shell 
remembered that the value of the last 
parameter in the 1s /usr/home Command 
WS /usr/home. In the Second commana, | 
asked to cd to that last value (represented 
by the variable :s), meaning that the shell 
interpreted this command dS cd /usr/ 


home. 


Miscellaneous FreeBSD Tips 
George Rosamond of NYCBUG has 
several tios he uses on his FreeBSD 
systems. He typically adds the following 
lines to /etc/rc.conf: See Listing 2. 

For servers that aren't running X11, 
add the following line to /etc/make.conf 
before installing any ports: 


a 


RootBSD 


WITHOUT X11l=yes 


If you haven't heard of src.conf, read 
“man src.conf’ to see if any settings are 
useful to your environment. 

lf you'd like to be notified when a task 
or script is complete on a remote sys- 
tem, add «<« mail to the command. 


NetBSD 5 in Parallels 4 

Michael Hernandez of NYCBUG was 
able to get NetBSD 5.x to work in Paral- 
lels by configuring the guest OS section 
as Solaris after discovering that choos- 
ing Other or FreeBSD did not properly 
configure networking. 


dtrace 

Pete Wright and Sahil Tandon of 
NYCBUG have some tips for those of you 
who have been wanting to give dtrace a 
try. The following scripts are available on 
OSX 10.5: 


1osnoop 
LOTOp 


1opattern 


dvert ii 
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1opending 
opensnoop 
man -k dtrace Of apropos dtrace ON 
OSX shows a bunch of other precooked 
scripts. 

The DtraceToolkit, available in the 
sysutils section of the FreeBSD ports col- 
lection, provides the same functionality. 


CARP 
Ike Levy and Okan Demirmen_ from 
NYCBUG have some _ suggestions for 
those of you using carp(4) for redundant 
routers or firewalls. On FreeBSD, the 
lagg(4) interface makes it extremely easy 
to setup link failover or link aggregation 
using ifconfig. 

On OpenBSD, use the trunk(4) inter 
face. Both interfaces support load balanc- 
ing, the LACP protocol, dnd EtherChannel. 


Keeping Output 

Headers with Sed 

Giorgos Keramidas  (htto://keramida. 
wordpress.com/) has a good tip can 
that be used to filter through the output 
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Listing 1. Adding Notification of RAID Status to Daily Output 


Hl oa hy Sh 


# show number of non-optimal drives attached to mpt raid card 


NONOPT='/sbin/sysctl -n dev.mpt.0.nonoptimal volumes’ 


echo 

echo "Checking MPT RAID array" 
echo 

if [ SNONOPT -eg 0 J]; then 

echo "No non-optimal volumes: (SNONOPT)" 


elif [| SNONOPT -ne O ]; then 


echo "WARNING, SNONOPT non-optimal volumes!" 


Listing 2. Miscellaneous FreeBSD Tips 
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Syslog (3): 
Bey een O (bool) It set to 7 "NO" "|. disable iantormmatvonal messages Erom 
the rc scripts. Informational messages are displayed 
when a 
GCONdIELON that 1S mOeE Serious enough EO warrant a warning 
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Figure 5. grep vs. sed 
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of commands when matching specific 
patterns, without losing the header line 
in the output: 

command | sed -n -e lp -e '/PATTERN/p' 
Figure 5 shows the difference between 
grepping the output of a command vs. 
using the sed pattern trick to filter the 
same output: 

Notice that in the grep output, the 
beginning header line is stripped away 
(USER, PID, 3cpPu, etc.) making the results 
less meaningful than the sed output 
which includes the header informa- 
tion. This sed trick will work with other 
sorts of commands such as ps(1) or 
iostat(1) output, or any other command 
that outputs a header before numeric 
stats. 

We hope that you have enjoyed the 
tios in this column. If you have any tricks 
of your own, send them to dru@osbrca 
to be included in a future edition of the 
column. 
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haven't written about things like this in 


Perhaps you prefer something like 


a while but the question was put to the generic etho used on your Linux 
me and | thought itd be worth jotting boxes or eno aS commonly found on 


something down. 


Listing 1. Original named interface ifconfig output 


bgeO: flags=8843 metric 0 mtu 1500 

options=9b 

ether O02 0b rcdti270d3-¢c3 

met WOO. NOLS netnesk OxtiratrO0r broadcast 
Oh Oa. 25 

(100baseTX ) 


media: Ethernet autoselect 


status: active 

bgel: flags=8802 metric 0 mtu 1500 
options=9b 

ether U0 70bseds t27d3 7c2 
Ethernet autoselect 


media: (none) 


SLaALUSs) NO Carrier 
1lo0: flags=8049 metric 0 mtu 16384 


inet, 127,.0.0.1 netmask Oxrrd00000 
Listing 2. Renamed interface ifconfig output 


bge0: flags=8843 metric 0 mtu 1500 

options=9b 

Gener OO = Ubscdsi2sdg7c3 

inet 10,10.10.13 netmask Oxtirrtr0G broadcast 
DOS LO eo 

Ethernet autoselect 


media: (100baseTX ) 


Sbavdes AGE Ive 

el: flags=8802 metric 0 mtu 1500 
options=9b 

ether OOF 0b scdii27d3 72 

(none) 


media: Ethernet autoselect 


SlLacus: NO Carrier 
1o0: flags=8049 metric 0 mtu 16384 


ines 27.0.0.) netmask Uxrr 000000 
Listing 3. Renamed interface ifconfig output after rebooting 


e0: flags=8843 metric 0 mtu 1500 

options=9b 

epher 00: 0b vcd) i 7d576c3 

inet 04st. (6. is temas UxtrirerOd® broadeast 
OL OO oe 

(l00baseTX ) 


media: Ethernet autoselect 


Statues adele 

bgel: flags=8802 metric 0 mtu 1500 
options=9b 

ether O070brcdsi2 7d3. C2 

(none) 


media: Ethernet autoselect 


SLaLuUss No Carrier 
1o0: flags=8049 metric 0 mtu 16384 


waasic I27.0,0.,1 mecmasik OsacirO0O0OO 





Mac OS X servers, or maybe something 


as short as eo typically 
found on Cisco and Adtran 
routers and switches. Then 
again maybe you just want 
to name them something 
specific like public, private 
or DMZ. 

So first you~ are 
probably asking yourself 
why would you ever want 
to change the name of 
your bgeo to something 
else? To answer it simply 
comes down to keeping 
things simple. Redundant 
no? Honestly if you have a 
set of standard ipfw firewall 
rules for instance that you 
wish to roll out to all of your 
machines however they 
all have NIC cards from 
different manufacturers 
then this will require quite 
a lot of work. Therefore 
why not just make it part of 
your initial setup to generic 
things up a bit? 

Honestly, if you take a 
few minutes to prepare your 
machines ahead of time 
then you can use some sort 
of version control tools like 
svn to hold a single copy 
of your base firewall rules. 
Then you can perform a 
simple checkout and raise 
your shields in seconds. | 
quick change to the base 
checked back in and then 
if you had all machines 
on a trigger system they 
can checkout the current 


versions effectively 
remodulating the — shield 
frequencies. Ok perhaps 


that was a bit too Star 
Trekky for most people. 

So here’s how to do it. 
On the command line as 
root or via sudo you can 
invoke ifconfig directly as 
follows; 


www.bsdmag.org 
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om Ma caute 


ifconfig bgel name el 


Here is the basic ifconfig output prior 
to executing the above command: see 
Listing 1. 

And the same after executing the 
command: see Listing 2. 

Notice that the only change was the 
name identifying the second ethernet 
interface. Of course being able to 
manually manipulate the ethernet 
interface names is all well and good. | 
Suppose you could also write your own 
script and stuff it into the rc.network 
startup somewhere but thatd be a total 
waste of effort when tyou can just use 
the built in rc.conf as follows to make the 
same change occur at startup. 

You would make a change similar to 
the following in /etc/re.conf 


ifcontig bge0 name="60" 
utcontig e0="inet 10.10,10.13 netmask 
2O012 002 00a)” 


After a reboot you would see the following 
ifconfig output: see Listing 3. 

Observe that the interface formerly 
known as bgeO is now simply eo. | shall 
leave that up to you imagination as to 
why the name of e1 has reverted back 
tO bgel. 

Honestly FreeBSD allows you the 
power to name the interfaces whatever 
you like. Maybe, just maybe you are one 
of those individuals that like to name 
things after your favorite flavor of ice 
cream, or after your favorite characters 
or Dune. Now that you know how the 
choice is entirely up to you. Go have fun 
with it! | hope that this little technical note 
has been helpful. 


D 
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Year 40 


of the UNIX epoch begins 


Brian D’Arcangelo, MCSE, Lynn Community Health Center, Lynn, MA, USA 


Ss many UNIX/Linux users 

know, all UNIX like operating 

systems start the count of time 

at January 1, 1970, the start of 
the UNIX epoch. Yes, | know that this is 
not precisely when the UNIX operating 
system was born but for our purposes 
it will do. It is similar to the idea that 
January 1, 2010 AD. does not really 
represent the precise time since the birth 
of Christ (astronomers have proven this 
to be off by a few years) but we still use it 
as a time marker. 

We do know that it was sometime 
in 1970 that the operating system got 
its name. Since it was derived from the 
abandoned MULTICS project at AT&T/Bell 
Labs it is said that Ken Thompson (one 
of its creators) chose the name Unics 
as a pun on the name Multics. Since 
the name Unics phonetically sounds like 
it ends in an x the name UNIX emerged 
and stuck. 

The summary | am interested in 
giving is not so much about the chrono- 
logical history of UNIX over the past 40 
years but, instead, the profound impact 
that this landmark operating system has 
had on all of the operating systems that 
would follow. In my estimation, nearly 
every modern computerized technology 
that we use today can be in some way 
traced back to UNIX. We today can feel 
the same way towards the creators of 
UNIX as Winston Churchill felt about the 
pilots in the RAF during WWII when he 
said, Never has so much been owed by 
so many to so few. 


Start with the technology that no 
one could imagine being without today 
— the Internet. Even many non-technical 
persons are aware that the Internet is 
completely dependent on the TCP/IP net- 
working protocol. But where did TCP/IP 
come from? It was first developed on the 
UNIX operating system. For that matter, 
when the Internet was in its infancy and 
was know as the DARPAnet, the entire 
backbone for it was built almost exclu- 
sively on UNIX. 

We also owe our ability to use the 
Internet in a human friendly way in large 
part to UNIX. Whenever we enter an easy 
to remember URL into a web browser 
(such as_htto://www.bsdmag.org) DNS 
does the dirty work of translating that 
name into a network address and finding 
it. DNS was of course first developed and 
run on UNIX when it was known as BIND 
(Berkeley Internet Name Domain system) 
and became part of the BSD version of 
UNIX. 

While we are on the subject of DNS, 
it is noteworthy that some of the most 
important servers that are really the 
backbone of the entire Domain Naming 
system on the Internet are in fact running 
on a UNIX operating system. 

Indeed, to this day, not just DNS, but 
many of the bread-and-butter services 
we use on the Internet such as search 
engines (i.e. Google,) email, web servers, 
and so on, continue to be run on some 
flavor of UNIX. 

A little Known piece of operating 
system history is the contribution that 
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UNIX made to the growth of Microsoft 
in its early days. If you worked at Mi- 
crosoft in the early 1980’s you would 
have been quite familiar with UNIX. 
Microsofts entire corporate network 
infrastructure was built on the Xenix 
flavor of UNIX and it remained so for 
quite some time. At that time, Microsoft 
believed that UNIX (ie. Xenix) would 
emerge as its flagship product. Later, 
when Microsoft switched in directing 
its attention to MS-DOS, the legacy 
of UNIX persisted when artifacts from 
UNIX such as piping and redirection 
were incorporated into DOS. 

UNIX is not only an important part 
of Microsoft's legacy, but Apple Com- 
puters as well. You would be surprised 
to know how many Mac OS X users 
are not even aware that the operating 
system they are using is really UNIX 
underneath the hood. The legacy of 
UNIX even persists in such devices 
as Apples iPod. You will see forums on 
the Internet littered with questions from 
stumped owners wondering why their 
iPod has mysteriously drifted to the 
date 1st January 1970. 

While 1st January 1970 may be a 
mysterious date to the uninitiated, it was 
and remains the date from which time 
began as far as the UNIX community is 
concerned. May all of us today remem- 
ber how much so many of us owe to 
the so few geniuses that gave us the 
still living legacy of the UNIX operating 
system. 
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2U form factor 
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